According to cybersecurity provider Cyble, a new sophisticated malicious campaign is using an undetected Cerberus Android banking Trojan payload. In a new report published on 14 October 2024, Cyble Research and Intelligence Labs (CRIL) https://cyble.com identified 15 malicious samples posing as Chrome and Play Store apps from mid-September through the end of October. These samples use a multi-stage dropper to deploy a banking trojan payload, which was found to be leveraging the Cerberus banking Trojan.
The campaign, ErrorFather, is ongoing and seemed to have ramped up in September and October 2024, suggesting the threat actor is looking to scale and target specific victims. Cerberus is an Android banking trojan that appeared on underground marketplaces in 2019. It is designed to look like a legitimate app but is a malicious program that can steal login credentials for banking apps, credit card details, and other personal information.[1]
Researchers noted that the trojan’s ability to target financial and social media apps by exploiting the Accessibility service, using overlay attacks and incorporating virtual network computing (VNC) and keylogging features made it one of the most well-known banking Trojans.
- In 2020, following the leak of Cerberus’ source code, a new variant called ‘Alien’ appeared, leveraging Cerberus’ codebase.
- In 2021, another banking trojan called ‘ERMAC,’ also building on Cerberus’ code, was observed targeting over 450 financial and social media apps.
- In early 2024, a new threat known as the Phoenix Android Banking Trojan was discovered.
Claiming to be a fresh botnet, Phoenix was found being sold on underground forums. It was identified as yet another version of Cerberus, utilizing its exact source code, whereas Alien and ERMAC had introduced some modifications.
ErrorFather campaign is another example of Cerberus being repurposed, according to researchers. While the threat actor behind ErrorFather has slightly modified the malware, it remains primarily based on the original Cerberus code, making it inappropriate to classify it as entirely new malware. ErrorFather employs a sophisticated infection chain involving multiple stages (session-based droppers, native libraries, and encrypted payloads), complicating detection and removal efforts. The campaign utilizes a Telegram bot named ‘ErrorFather’ to communicate with the malware.
The final payload employs keylogging, overlay attacks, VNC, and a domain generation algorithm (DGA) to perform malicious activities. The DGA, also used in a 2022 Alien campaign, ensures resilience by enabling dynamic command and control (C2) server updates, keeping the malware operational even if primary servers are taken down. “Despite being an older malware strain, the modified Cerberus used in this campaign has successfully evaded detection by antivirus engines, further highlighting the ongoing risks posed by retooled malware from previous leaks,” noted the researchers. The C2 server used for deploying ErrorFather is still active, suggesting the campaign is ongoing.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.infosecurity-magazine.com/news/cerberus-android-banking-trojan/
Comments