Turkey targeted by Cerberus and Anubis Android banking Trojan campaigns


I recently set out to become more acquainted with Maltego, a useful program for open-source intelligence (OSINT) and forensics, developed by Paterva. I also noticed there is an ongoing campaign against Turkey using Android banking Trojans such as Anubis and Cerberus. Both are Malware-as-a-Service offerings that supply a builder and mobile remote access Trojan (MRAT) to steal credentials from Android users.

Security researchers such as @MalwareHunterTeam, @ReBensk, @pr3wtd, and @mertcangokgoz, and others have all recently shared new samples of Cerberus and Anubis targeting users in Turkey with mobile data “gifts” that are offered from their mobile carriers due to COVID-19. Various websites are registered hosting links to fake apps, which were downloaded from the threat actor’s GitLab or BitBucket repositories. These apps are Android packages (.APK) that can be distributed via SMS, instant messaging app, on Twitter, via email, and other social engineering techniques.

With the Tweets of these security researchers I compiled the indicators of compromise (IOCs) such as file hashes, domains, IP addresses, and any other useful artefacts. I then fired up Maltego and began compiling the IOCs and trying to figure out how it was all connected.

Multiple Anubis campaigns:


Cerberus GitLab campaign: 


Cerberus BitBucket campaign: 


Phishing lures: 




Number of people targeted in these campaigns: 


Additional findings: 
Four of the command and control (C&C) servers during the Cerberus BitBucket campaign were registered by the same threat actor. All used the same throwaway Gmail address to register over a dozen malicious domains with the ".top" gTLD. 

As previously mentioned the attackers are exploiting the lockdown due to the coronavirus with these key phrases in Turkish:
- “Hediye” = Gift
- “Evde internetim var” = Have internet at home
- “Evde kal” = Stay at home
- “Indir 20GB kazan” = Download win 20GB
(Disclaimer - I only used Google translate)

Indicators of Compromise: 

Filenames:
EvdeHayatVar_build_obf.apk
Covid_19.apk
EvdeKal_build_obf.apk
evdekal_obf.apk
Covid19MobileInstall_obf.apk
Vodafone-5G.apk
evdekal-20gb.apk
Covid-19Mobile.apk
GooglePlay.apk
20gb-evdekal.apk
20GBHediye.apk
20gb_hediye_internet.apk
30GbKazan.apk
20gbhediyesi.apk
HayatEveSigar.apk
hediye20gb.apk
20gb-evde-kal.apk
SenEvdesinDiye_build_obf.apk
20gb_hediye_internet.apk
hediye20gb.apk
hayatevesigar.apk
evdekaliyorum.apk
basvuru_devlet_destegi.apk
evde-kal.apk

Users: 
https://bitbucket[.]org/nilsudemir1881
https://bitbucket[.]org/kaankaratas12881
https://bitbucket[.]org/emreadamol34
https://gitlab[.]com/akif65336
https://gitlab[.]com/ordulkemal2

IOCs such as Hashes, Domains, URLs, and IPv4 addresses can be found on my OTX feed here.


Sources: 
https://koodous.com/apks?search=HayatEveSigar

Continued:

Security researchers that focus on Android threats have shared additional samples this week as part of this ongoing campaign. Some samples are directly connected, others are part of a new wave. BitBucket remains to be a preferred choice for hosting the APK files of the Android Trojans and many of the malicious domains are hosted with the GoDaddy registrar services.

Anubis campaigns:


Continued:



Phishing lures used this week: 




More IOCs such as Hashes, Domains, URLs, and IPv4 addresses can be found on my OTX feed here.

Analysis:

Turkish users continue to be targeted by the Anubis Android banking Trojan campaign, using coronavirus phishing and free mobile data "gifts" due to the lockdown. If the previous download numbers are to be believed, it is more than likely that around 4,000 people in Turkey may have unknowingly downloaded the Trojan onto their devices. 

This is a serious cybercriminal campagin that is exploiting the COVID-19 pandemic. What makes these attacks all the more difficult to prevent is that Anubis is a Malware-as-a-Service platform. This means that low-skilled threat actors can purchase access and initiate attacks immediately. The only barrier to entry is usually a Bitcoin wallet to buy with.

This campaign is likely to continue exploiting the coronavirus for the forseeable future. It is a golden opportunity for threat actors to leverage in their phishing lures due to a heightened level of paranoia and uncertainty amongst the general population. As people seek for answers and the latest news on the coronavirus they fall into these attacker's traps. 

Android users should exercise caution over such threats and make sure to never download an application from a website or third-party appstore. Business devices should stick to vetted apps from the Google Play Store. 

Sources:
https://twitter.com/malwrhunterteam/status/1260817120687984640
https://twitter.com/malwrhunterteam/status/1260606944882110464
https://twitter.com/ReBensk/status/1260502947680698368
https://twitter.com/ReBensk/status/1260791061301137409
https://twitter.com/ReBensk/status/1260056152965918720
https://twitter.com/ReBensk/status/1260085218364452864
https://twitter.com/ReBensk/status/1260175293009891328
https://twitter.com/ReBensk/status/1259771887598612487
https://twitter.com/SmashTheKernel/status/1259801643748667392
https://twitter.com/ni_fi_70/status/1259792444444606465

Popular posts from this blog

Deep-dive: The DarkHotel APT

My first year in Cyber Threat Intelligence