The Cerberus Android banking trojan, which gained notoriety in 2019 for its capability to focus on monetary and social media apps, has continued to evolve and unfold by means of varied forks and variants.
Current analysis has uncovered a brand new marketing campaign, dubbed ErrorFather, which leverages the Cerberus supply code and makes use of a multi-stage dropper mechanism to deploy the banking trojan payload.
The ErrorFather marketing campaign, detected in September 2024, has seen a big improve in malicious samples in latest weeks, indicating ongoing exercise and the potential for widespread hurt to unsuspecting customers.
The malware makes use of a multi-stage dropping method, the place the first-stage dropper installs a second-stage dropper from its property utilizing a session-based set up.
Whereas the second-stage dropper is packed and depends on a local library (libmcfae.so) to decrypt and cargo the ultimate payload. The ultimate payload, decrypted.dex, accommodates malicious functionalities like keylogging, overlay assaults, and distant entry capabilities.
The ErrorFather marketing campaign utilized a modified model of the Cerberus banking trojan, which it disguised by means of obfuscation and code reorganization.
Whereas initially detected as a brand new banking trojan based mostly on its detection depend, deeper evaluation revealed robust code similarities with Cerberus, notably in its shared choice settings and construction.
Nonetheless, the C&C construction of the ErrorFather variant differed from the unique Cerberus and the newer Phoenix botnet, indicating a singular evolution of the malware.
How you can Select an final Managed SIEM resolution for Your Safety Group -> Obtain Free Information(PDF)
The malware retrieves C&C server lists utilizing two strategies: statically from a major C&C server and dynamically utilizing a DGA, which generates domains based mostly on the present Istanbul time utilizing MD5 and SHA-1 hashing and appends certainly one of 4 extensions.
When the first C&C server is unavailable, the malware makes an attempt to connect with the generated domains, which was additionally noticed within the Alien malware, however with variations in area extension and lack of a static checklist.
It performs varied actions, together with sending system data, retrieving and storing knowledge from the server, and capturing display photos for VNC performance by leveraging accessibility companies to collect delicate knowledge like keystrokes and contacts and sends error logs to the C&C server.
The malware additionally checks for registered customers and sends system standing updates, indicating its steady monitoring and management over the contaminated system.
The Cerberus malware employs an overlay assault to deceive victims into coming into delicate data and identifies potential targets by sending a listing of put in functions. As soon as a goal is discovered, the malware receives the corresponding HTML injection web page.
When the sufferer interacts with the goal app, the malware overlays a pretend phishing web page, tricking the sufferer into divulging login credentials and bank card particulars, which permits the malware to hold out monetary fraud.
Based on the CRIL, the ErrorFather marketing campaign, a Cerberus-based banking Trojan, leverages VNC, keylogging, and HTML injection to steal monetary data.
Regardless of being older malware, the modified Cerberus has evaded detection, the place cybercriminals proceed to repurpose leaked malware supply code, highlighting the continuing menace of Cerberus-based assaults.