In a blog post dated February 16, 2022, ZeroFox Intelligence detailed Kraken, a new botnet targeting Windows that we discovered in October 2021. The botnet is still undergoing active development, experimenting with new features, and attempting to find a brand for itself. After our publication, ZeroFox learned that the botnet has undergone a rebranding to more closely align with its administration dashboard. Sometime between January 4, 2022, and January 7, 2022, the operator(s) began using the names “Anubis” and “Pepega” for the project internally.
- Ensure antivirus and intrusion detection software is up to date with all patches and rule sets.
- Enable two-factor authentication for all organizational accounts to help mitigate phishing and credential stuffing attacks.
- Maintain regularly scheduled backup routines, including off-site storage and integrity checks.
- Avoid opening unsolicited attachments and never click suspicious links.
- Log and monitor all administrative actions as much as possible. Alert on any suspicious activity.
- Review network logs for potential signs of compromise and data egress.
ZeroFox Intelligence has been following the development of this previously unknown botnet since October 2021. Originally named “Kraken,” builds discovered between January 4, 2022, and January 7, 2022, reveal that the internal name has changed.
As seen in Figure 1, the Golang project path has changed from “C:\Users\666\Desktop\Bobabubs\kraken_2022” to “\root\anubis”, which more closely aligns with the dashboard after it received its own rebrand. The source code also appears to have been merged into one main file with most of the function names being obfuscated, as opposed to the previously separated but clear functionality. Another notable change made is to the main source file. The name “pepega” may be in reference to a Twitch emote of the same name, which is itself a variation of the meme “Pepe the Frog.”
Anubis Dashboard No Longer Available
Shortly after our publication, ZeroFox Intelligence also observed that the Anubis dashboard is no longer available. Attempting to view the dashboard now results in a “404 page not found” message being displayed.
New Exfiltration Targets
In addition to the previously-added cryptocurrency wallets, Anubis now appears to be targeting specific Chromium-based browsers. Builds obtained by ZeroFox Intelligence from February 17, 2022, onwards have added the following paths targeting the Brave, Google Chrome, and Microsoft Edge browsers:
- \AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Cookies
- \AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
- \AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Until recently, Anubis relied entirely on secondary payloads such as Redline to steal data from victims. If this trend of feature additions continues, Anubis may become capable of doing the job itself, ending its reliance on third-party infostealers.
The additional capability to target a victim’s browser data seems limited to just cookie data currently. Whether Anubis decides to collect more data (such as saved credentials and browser history) or even target more browsers based on the Chromium source currently remains to be seen. Though the pace of Anubis’ development has slowed down since its initial discovery, the various changes its operator(s) are making indicate they are still deciding what the future of this botnet holds. ZeroFox will continue to monitor this emerging botnet as it evolves.
|T1027.002||Obfuscated Files or Information: Software Packing|
|T1033||System Owner/User Discovery|
|T1047||Windows Management Instrumentation|
|T1059.001||Command and Scripting Interpreter: PowerShell|
|T1059.003||Command and Scripting Interpreter: Windows Command Shell|
|T1082||System Information Discovery|
|T1132.001||Data Encoding: Standard Encoding|
|T1547.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|