OSINT Investigation: Cerberus and the INPS


On 1 April 2020, the Italian National Institute for Social Security (INPS) experienced an unexpected outage on its website, leaving many Italians distressed and confused. This is due to the fact that the Italian government has offered a rescue package of €600 to assist with those experiencing hardship during lockdown, during the coronavirus pandemic. However, with the website being offline those who need help are temporarily unable to get it.

Suddenly, a tweet from the infamous Anonymous Italy (@Anon_ITA) led some to believe that the site was taken down due to a distributed denial of service (DDoS) attack from the activist group.


Once the translation is made, however, it becomes clear that the site was taken down via the IT administrators' own means, not because of a DDoS attack, Anonymous Italy admits.

As of 6 April 2020 the site was still down, DDay Italy then investigated the true meaning behind its outage and found that because the site was placed behind the Akamai content delivery network (CDN), which cached part of the requests, those who viewed data were not reaching the INPS server, but were viewing a copy that the CDN had saved to speed up the response to requests. This misconfiguration meant the INPS site administrators had to bring the whole website offline and correct the issue. 


The INPS itself then suddenly produces an alert which warns Italians that a malware campaign has started targeting those seeking the INPS. Vast amounts of SMS messages were reportedly circulating, inviting victims to click on the link to update your COVID19 application, which instead would be a malicious trojanised application, called Cerberus.



With the site down, another typosquatting domain appeared, capitalising on the fact the INPS site was still down. The site (inps-informa[.]online) was created on 4 April 2020, a few days after INPS went down. 




Further investigation into the site led researchers to find a malicious APK file called ‘COVID-19.apk’ hosted on there for victims to unwittingly download and install. Although, in doing so, the victims have connected their devices to the attackers command and control (C&C) server for exfiltration of their stolen credentials. As a banking Trojan, one can expect that Cerberus aims for any banking credentials, payment details, and other personally identifiable information for attackers to defraud victims.
By downloading and installing the fake app, users click to enable invasive permissions such as control over bluetooth, calling, internet access. Cerberus is also able to read contacts, messages, call logs, audio messages, phone state, storage states, network state, saved accounts, master boot record, battery state, and control over the screen. 

ESET’s in-house Android malware expert, Lukas Stefanko, also recently showcased that Cerberus version 2 is on the way. The malware developers posted on a Russian hacking forum that Cerberus version 1 currently has over 1,000,000 malicious installs and has been a huge success for the threat actors, largely benefitting off the coronavirus pandemic.




Analysis: 
Cerberus is a malware-as-a-service (MaaS) platform, which means that any aspiring cybercriminal can contact the Cerberus developers and pay for access to the malware. It comes with a builder and a control panel and cybercriminals who have access to the MaaS can choose from a range of fake apps to masquerade as. It is up to the customers how best to deliver these malicious APK files in any way they choose, this typically includes water holing, SMiShing, and phishing. This makes Cerberus a dangerous and evolving threat that is operated not by a small group, but hundreds, if not thousands, of threat actors. It will be very difficult for law enforcement to even get close to tracking down those responsible.

As the coronavirus persists, governments and enterprises have to remain vigilant for DDoS attacks and for the sign of any typosquatting domains looking to impersonate the site that has been taken down, especially if it is for an extended period of time, like the INPS site (which is still down at the time of writing). 

I would also like to give thanks to my good friend, Salvatore, who helped me with this OSINT investigation and what the zeitgeist in Italy was surrounding this issue.

Indicators of Compromise (IOC): 

URL          https://inps-informa.online/download/COVID-19.apk
Domain      inps-informa.online
MD5 a64c66eb1c445d6402cd1044dcd31ee7
SHA-1 b680c3b498a31f3655efaf8ad720f26c7a91a19e
SHA-256  59cb2987a1c909e5c57a02e3a271324a9ca972d4d1a6632060eb5b908e41f9e7
MD5   897cada9b6146db02aab177c6028f69d
SHA-1   a2b4d27acf974f7858580a6125e60df0e9da2cea
SHA-256    d810f95ceaab3844bfe0aa656c62483006aa7b0fd20d59a9a1f4a689502096d0
References:

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks