@BushidoToken Threat Intel

  Following the recent discoveries shared by @MalwareHunterTeam and @LukasStefanko on Twitter, I took a closer look at the ongoing Cerberus Android banking Trojan campaign. It has recently reared its head to target English-speaking users via a fake food delivery app: (Figure 1 - The fake website that drops food-delivery.apk) (Figure 2 - Downloading and granting permissions to the Trojanised application) If successfully downloaded and permissions are granted, the user's device is infected with a banking Trojan that shares multiple similarities to the infamous Cerberus Android banking Trojan. Further investigation in this campaign revealed the attacker's infrastructure through a mutual host, gTLD (.top), and the same registrant details.  Virus Total Graph of the campaign: Themes of Trojanised Applications distributed by this Cerberus operator: Cerberus web injects database: (Figure 3 - Picture of the Cerberus web injects database for reference) Analysis: The Cerberu...

Background:  The Qakbot banking Trojan is one of the top-tier malware families on the current threat landscape. It is distributed in mass spam campaigns, steals confidential information, and has also provided access to ransomware operators. Preventing and detecting this threat has become a priority for many organisations as a successful infection can lead to a costly cyber incident. In this blog, I aim to share more information on this malware, provided by open sources, and highlight the intelligence gathering process it takes to combat this threat. Qakbot (also known as Quakbot or Qbot) has been around since 2008. It has targeted the customers of various financial institutions worldwide. While Qbot's targeting has mostly remained the same - with the aim of stealing bank details and enabling wire fraud - its propagation methods have changed across various campaigns. Despite its age, Qakbot still remains a significant threat with established connections in the organised cybercr...