Cerberus Banking Trojan Threat Intel Advisory

Summary

CloudSEK Threat Intelligence Advisory on Cerberus Android banking Trojan, source code for which is released on underground forums for free.
Researchers discovered Cerberus, Android banking Trojan (Malware-as-a-Service), in 2019. This Android malware is rented or auctioned out on underground forums, and is primarily leveraged to target users to steal their financial data, such as credit card details. The operators behind Cerberus made several futile attempts to sell its source code on underground forums, and instead released it for free.  The ease at which it is available stirs concern as it increases the threat surface proportionally. The lifespan of popular on-rent Android banking Trojans is usually not more than one or two years (as shown below). Although ransomware-for-hire is not a rare deployment model, previous trends show that once the source code for malware is released, it attracts countermeasures and possibly a new version of the malware itself.
Fig1. Android Trojans and their origin and end date (Cerberus)
Fig1. Android Trojans and their origin and end date
Cerberus is usually spread via phishing campaigns and fake SMSs taking advantage of COVID-19, installations from untrusted sources, and using cracked versions of software where users are tricked into installing malware on their smartphones. 

Infection and Propagation Vector

Not long ago, Cerberus was detected being spread disguised as a Spanish currency converter (called “Calculadora de Moneda”). To avoid initial detection, the app hides its malicious intentions the first few weeks while being available on Google Play store. Later, the code is added to the source code of the currency converter, which is known as a "Dropper Code" among researchers. Then, the application starts deploying malware silently onto users' devices. The application is connected to a command-and-control server (C2), which further has an additional malicious android application package (APK), Cerberus. Now when the malware is executed on the device, it will hide its icon from the application drawer and request for accessibility service privilege as shown below.
Fig2. Permission Access (Cerberus)
Fig2. Permission Access
Once the user grants the requested privilege, Cerberus abuses it by allowing itself additional permissions without any user interaction. It also disables Play Protect (Google's pre-installed antivirus solution) to prevent the app’s discovery and deletion in the future. Then, the Trojan registers the infected device in the botnet and waits for commands from the C2 server while getting ready to perform overlay attacks. Examples of phishing overlays are as shown below in fig 3. 
Fig3. The credentials stealers (first 2 screenshots) and credit card grabbers (last screenshot)
Fig3. The credentials stealers (first 2 screenshots) and credit card grabbers (last screenshot)

Characteristics and Capabilities

The malware implements banking Trojan capabilities such as the use of overlay attacks, the ability to intercept SMSs, and obtain access to contact lists. It enables the attacker with the following capabilities as well:
  • Capture screenshots
  • Record audio
  • Record keylogs
  • Send, receive, and delete SMSs
  • Steal contact lists
  • Forward calls
  • Collect device information
  • Track device location
  • Steal account credentials
  • Disable Play Protect
  • Download additional apps and payloads
  • Remove apps from the infected device
  • Push notifications
  • Lock device’s screen

Indicators of Compromise

  1. 728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f
  2. b604fac8f87428c66713d2637501b3e0fae3176a00dd591b1e061fa938da3727
  3. ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c
  4. 3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63
  5. fe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329
  6. 6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4
  7. cfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b
  8. c01210cf1698a8df3ac6ac8b07bad7a428e977fa9f15ca8eacc25132bf8a25e3
  9. 4254670ea5f353263570792a8ff4a1e6ea35999c2454fa1ec040786d7be33b69
  10. 6291192d0c2f6318f9a4f345203b35cfe140be53889f9fefdd8e057a4f02e898
  11. 3ef8349d4b717d73d31366dfbe941470e749222331edd0b9484955a212080ad8
  12. 140eb9d273cdfa9a6f004165569a942784a26535
  13. d295f8e340692f25fabb46533d708c78
  14. seniyimisinyaw.cyou
  15. 94.156.77.32
  16. Shurt.pw

Impact

  1. Cerberus is now open source, it is accessible to anyone and therefore poses a major security challenge. 
  2. The leak of PII information can lead to identity theft.
  3. Confidential docs/ chats leaked to the public can cost the reputation of an individual or organization.
  4. Users might lose trust over the application owing to safety reasons, leading to a declining revenue for the company
  5. Once the device is infected it can be used as a Bot to perform DDoS attacks, leading to inaccessibility of services.
  6. Social engineering techniques are carried out on people. The malware operators obtain access to the victim’s details, which are then used to scam them.

Preventive Measures

  1. Block the installation of programs from unknown sources in the Android’s settings.
  2. Do not follow links in text messages, especially if the message seems suspicious.
  3. Do not give accessibility permissions to any app that requests them unnecessarily.
  4. Download applications from trusted sources.
  5. User awareness about such attacks.

Mitigation

  1. Use spam filters and antivirus programs to detect and filter bad emails.
  2. Do regular backup of the data.
  3. Use firewalls, antivirus, or anti-malware software.
  4. Use strong passwords.

Table of Contents

Request an easy and customized demo for free