Latest wave of Cerberus targets English-speaking users

-

 


Following the recent discoveries shared by @MalwareHunterTeam and @LukasStefanko on Twitter, I took a closer look at the ongoing Cerberus Android banking Trojan campaign. It has recently reared its head to target English-speaking users via a fake food delivery app:

(Figure 1 - The fake website that drops food-delivery.apk)

(Figure 2 - Downloading and granting permissions to the Trojanised application)

If successfully downloaded and permissions are granted, the user's device is infected with a banking Trojan that shares multiple similarities to the infamous Cerberus Android banking Trojan. Further investigation in this campaign revealed the attacker's infrastructure through a mutual host, gTLD (.top), and the same registrant details. 

Virus Total Graph of the campaign:

Themes of Trojanised Applications distributed by this Cerberus operator:

Cerberus web injects database:

(Figure 3 - Picture of the Cerberus web injects database for reference)

Analysis:

The Cerberus banking Trojan persists, even though the project reportedly shut down in August 2020. The malware authors stated that the project had come to an end after Google Play Protect blocked the Trojan’s functionality. However, they released the source code for versions 1 and 2, the install scripts, admin panels, and the SQL database structure. This has led to the current situation whereby Cerberus campaigns continue to appear in the wild despite the malware's original controllers having relinquished control. [source]

Over the last year, Cerberus has typically targeted users in Turkey and Poland. However, these fake applications are written in English, which suggests the operator’s targeting is expanding and shifting to English-speaking countries. Organisations, particularly in finance, must remain vigilant for emerging mobile threats that continue to bypass anti-fraud protection systems and compromise Android mobile devices. All smart phones should be upgraded to the latest version of the OS and unverified apps should not be downloaded from websites or third-party app stores.

Indicators of Compromise (IOCs):

Dropper:

  • food-delivery[.]vip
  • hxxps://food-delivery[.]vip/food-delivery.apk

C&C domains:

  • thedfrtyjgec[.]top
  • truespinzer[.]top
  • creamcrime[.]top
  • creamnails[.]top
  • gulispikers[.]top
  • dsfikj2dsfmolds[.]top
  • coolcalmedice[.]top
  • yearofchill[.]top
  • cosmeticpower[.]top
  • treeanddream[.]top

APKs:
  • Food delivery (battle.jealous.egg) - de3749224879f19a22df2a15501d87eb
  • Food delivery (head.boil.famous) - 08082902af8d1e190ff981eac35a93f5
  • Cash carry (panda.sail.exit) - 3fd26dc2eac86bcae777d7a05d20facc
  • Cash carry (tube.remove.exhibit) - 5de40b831b52853ddfeebda9765ee80d
  • Flash Player (hammer.gap.shiver) - d305cc92efd4709b5c6bd229c6392c3a
  • Flash Player (height.dragon.again) - 848a17ca546bbe9a573760c4307f2a2f

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more

The Ransomware Tool Matrix

-
Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on
Read more