In a recent discovery by Cyble researchers, a new and sophisticated variant of the Cerberus Android banking trojan has surfaced, evading antivirus engines and posing a significant threat to financial security. This new malware variant, named “ErrorFather,” communicates with a Telegram bot and uses a multi-stage dropper to deploy its payload, enabling remote attacks, keylogging, and overlay attacks for financial fraud.
The emergence of ErrorFather highlights the ongoing trend of cybercriminals repurposing and exploiting leaked malware source code, showcasing the persistent danger posed by Cerberus-based attacks even years after the original malware’s discovery. The original Cerberus Android banking trojan was first identified in 2019, and various iterations such as Alien, ERMAC, and Phoenix have since emerged, used by threat actors to carry out financial fraud through methods like VNC, keylogging, and overlay attacks.
Despite being based on older malware code, the modified Cerberus used in the ErrorFather campaign has effectively evaded detection by antivirus engines, emphasizing the continued risks associated with retooled malware from previous leaks. This highlights the need for ongoing vigilance and advanced security measures to combat evolving cyber threats.
ErrorFather’s deceptive tactics include posing as legitimate Chrome and Play Store apps, with samples using a multi-stage dropper to deploy the banking trojan payload. The campaign utilizes various samples, including session-based droppers and payloads, with an active Command and Control (C2) server indicating ongoing malicious activities.
The second-stage APK file employed in the campaign leverages a session-based installation technique, bypassing restricted settings by using the Google Play Store icon. The dropper’s manifest file requests dangerous permissions and services, with the code implementation delivered through a native file that decrypts and executes the final payload, containing malicious capabilities like keylogging, overlay attacks, VNC, and the use of a Domain Generation Algorithm (DGA) for a Command and Control server.
Despite the sophistication of ErrorFather, the threat actor behind it has managed to evade detection by modifying Cerberus variable names, using obfuscation, and reorganizing the code. The malware employs an overlay technique to intercept user interactions with target applications, redirecting them to fake phishing pages that trick victims into entering sensitive information like login credentials and credit card details.
Cyble researchers have identified 16 actions performed by the malware, along with MITRE ATT&CK techniques and indicators of compromise (IoCs), providing valuable insights for cybersecurity professionals to defend against such attacks. The discovery of ErrorFather serves as a reminder of the constantly evolving nature of cyber threats and the importance of robust security measures to safeguard against financial fraud and data theft.
In conclusion, the emergence of ErrorFather underscores the need for enhanced cybersecurity measures to combat the persistent threat posed by Cerberus-based malware variants and other sophisticated cyber threats. Organizations and individuals are urged to stay vigilant, keep software up to date, and implement comprehensive security protocols to mitigate the risk of falling victim to malicious attacks.