The notorious Cerberus Android banking trojan, known for targeting financial and social media apps, has continued to evolve and spread through various forks and variants, creating new threats in the cybersecurity landscape.
Recently, a new campaign named ErrorFather has been uncovered, leveraging the Cerberus source code and employing a multi-stage dropper mechanism to deploy the banking trojan payload. This campaign, identified in September 2024, has shown a surge in malicious samples in recent weeks, signaling ongoing activity and the potential harm it could cause to unsuspecting users.
The malware utilizes a multi-stage dropping technique, where the first-stage dropper installs a second-stage dropper from its assets using a session-based installation. The second-stage dropper, packed and dependent on a native library (libmcfae.so), decrypts and loads the final payload. This final payload, decrypted.dex, contains malicious functionalities like keylogging, overlay attacks, and remote access capabilities.
The ErrorFather campaign disguises the modified Cerberus banking trojan through obfuscation and code reorganization, making it challenging to detect. While initially identified as a new banking trojan based on its detection count, further analysis revealed strong code similarities with Cerberus, especially in its shared preference settings and structure. However, the C&C structure of the ErrorFather variant differed from the original Cerberus and the more recent Phoenix botnet, showing a unique evolution of the malware.
The malware retrieves C&C server lists using two methods: statically from a primary C&C server and dynamically using a Domain Generation Algorithm (DGA), which generates domains based on the current Istanbul time using MD5 and SHA-1 hashing. When the primary C&C server is unavailable, the malware attempts to connect to the generated domains, similar to the behavior observed in the Alien malware.
The malware performs various actions, including sending device information, retrieving and storing data from the server, capturing screen images for VNC functionality, gathering sensitive data like keystrokes and contacts using accessibility services, and sending error logs to the C&C server. It also checks for registered users and sends device status updates, showcasing continuous monitoring and control over the infected device.
Using an overlay attack, the Cerberus malware deceives victims into entering sensitive information by overlaying a fake phishing page on top of legitimate applications. This tactic aims to trick victims into divulging login credentials and credit card details, enabling the malware to carry out financial fraud efficiently.
According to the CRIL, the ErrorFather campaign leverages VNC, keylogging, and HTML injection to steal financial information, demonstrating the concerning capabilities of the Cerberus-based banking Trojan. Despite the age of the malware, the modified Cerberus has managed to evade detection, illustrating the persistent threat of Cerberus-based attacks fueled by cybercriminals repurposing leaked malware source code.
In conclusion, the evolving nature of the Cerberus Android banking trojan, as demonstrated by the ErrorFather campaign, highlights the need for enhanced cybersecurity measures to combat the ever-changing tactics employed by cybercriminals. Vigilance and robust security protocols are crucial in safeguarding users against the persistent threat of malware attacks in today’s interconnected digital landscape.