OSINT Investigation: Cerberus and the INPS

-

On 1 April 2020, the Italian National Institute for Social Security (INPS) experienced an unexpected outage on its website, leaving many Italians distressed and confused. This is due to the fact that the Italian government has offered a rescue package of €600 to assist with those experiencing hardship during lockdown, during the coronavirus pandemic. However, with the website being offline those who need help are temporarily unable to get it.

 Suddenly, a tweet from the infamous Anonymous Italy (@Anon_ITA) led some to believe that the site was taken down due to a distributed denial of service (DDoS) attack from the activist group.


Once the translation is made, however, it becomes clear that the site was taken down via the IT administrators' own means, not because of a DDoS attack, Anonymous Italy admits.

As of 6 April 2020 the site was still down, DDay Italy then investigated the true meaning behind its outage and found that because the site was placed behind the Akamai content delivery network (CDN), which cached part of the requests, those who viewed data were not reaching the INPS server, but were viewing a copy that the CDN had saved to speed up the response to requests. This misconfiguration meant the INPS site administrators had to bring the whole website offline and correct the issue. 


The INPS itself then suddenly produces an alert which warns Italians that a malware campaign has started targeting those seeking the INPS. Vast amounts of SMS messages were reportedly circulating, inviting victims to click on the link to update your COVID19 application, which instead would be a malicious trojanised application, called Cerberus.



With the site down, another typosquatting domain appeared, capitalising on the fact the INPS site was still down. The site (inps-informa[.]online) was created on 4 April 2020, a few days after INPS went down. 




Further investigation into the site led researchers to find a malicious APK file called ‘COVID-19.apk’ hosted on there for victims to unwittingly download and install. Although, in doing so, the victims have connected their devices to the attackers command and control (C&C) server for exfiltration of their stolen credentials. As a banking Trojan, one can expect that Cerberus aims for any banking credentials, payment details, and other personally identifiable information for attackers to defraud victims.
By downloading and installing the fake app, users click to enable invasive permissions such as control over bluetooth, calling, internet access. Cerberus is also able to read contacts, messages, call logs, audio messages, phone state, storage states, network state, saved accounts, master boot record, battery state, and control over the screen. 

ESET’s in-house Android malware expert, Lukas Stefanko, also recently showcased that Cerberus version 2 is on the way. The malware developers posted on a Russian hacking forum that Cerberus version 1 currently has over 1,000,000 malicious installs and has been a huge success for the threat actors, largely benefitting off the coronavirus pandemic.




Analysis: 
Cerberus is a malware-as-a-service (MaaS) platform, which means that any aspiring cybercriminal can contact the Cerberus developers and pay for access to the malware. It comes with a builder and a control panel and cybercriminals who have access to the MaaS can choose from a range of fake apps to masquerade as. It is up to the customers how best to deliver these malicious APK files in any way they choose, this typically includes water holing, SMiShing, and phishing. This makes Cerberus a dangerous and evolving threat that is operated not by a small group, but hundreds, if not thousands, of threat actors. It will be very difficult for law enforcement to even get close to tracking down those responsible.

As the coronavirus persists, governments and enterprises have to remain vigilant for DDoS attacks and for the sign of any typosquatting domains looking to impersonate the site that has been taken down, especially if it is for an extended period of time, like the INPS site (which is still down at the time of writing). 

I would also like to give thanks to my good friend, Salvatore, who helped me with this OSINT investigation and what the zeitgeist in Italy was surrounding this issue.

Indicators of Compromise (IOC): 

URL          https://inps-informa.online/download/COVID-19.apk
Domain      inps-informa.online
MD5 a64c66eb1c445d6402cd1044dcd31ee7
SHA-1 b680c3b498a31f3655efaf8ad720f26c7a91a19e
SHA-256  59cb2987a1c909e5c57a02e3a271324a9ca972d4d1a6632060eb5b908e41f9e7
MD5   897cada9b6146db02aab177c6028f69d
SHA-1   a2b4d27acf974f7858580a6125e60df0e9da2cea
SHA-256    d810f95ceaab3844bfe0aa656c62483006aa7b0fd20d59a9a1f4a689502096d0
References:

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more

The Ransomware Tool Matrix

-
Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on
Read more