Leashing Cerberus

Overview

Cerberus is an Android banking trojan first reported on by ThreatFabric in June 2019 that may have been active since at least 2017. The malware is for sale on a Russian hacking forum called xss[.]is where the actors behind its development are selling licenses for the service from $4000 – $12000. This new malware-as-a-service may have filled the void for actors who require Android malware rental services like Anubis and Red Alert which have ceased to exist. ThreatFabric analysts point out that the malware activates when victims move around, triggering the accelerometer inside the device. Cerberus lies dormant until the pedometer (measuring step count) reaches a certain amount of steps. It also alters the lure depending on the Android package name, capturing banking details or mail credentials. Cerberus does not share code with Anubis or other Android banking trojans and appears to have been newly written[1].

Anomali Threat Research (ATR) in joint partnership with the Information Security function within a major European Financial Institution, have undertaken analysis on Cerberus in an effort to complement the existing findings which have been presented by others in the community, and to further help defenders in understanding the threat and capability of this Android banking trojan.

Malware-as-a-Service

Cerberus is being sold in the Russian hacking forum XSS[.]is. The forum was created in 2018 and is the new version of DaMaGeLab[.]org[2]; a previously well known hacking forum run by the founders of Exploit[.]in[3]. A member of the hacking forum XSS[.]is going by the name of Android, has a Premium account and is shown in Figure 1 advertising access to the Cerberus Android bot. The Cerberus malware is named after the Greek, three headed, mythological creature which guards the entrance of the underworld ruled by Hades.

A screenshot of the Cerberus Advertisement post made on June 23rd 2019
Figure 1. A screenshot of the Cerberus Advertisement post made on June 23rd 2019

The advert shown in Figure 2 is selling licenses for Cerberus from $4000 depending on how long customers wish to have it for. As shown in Figure 2 the cost for each license is as follows:

  • 3 months – $4,000,
  • 6 months – $7,000,
  • 12 months – $12,000

It is unknown as to how profitable Cerberus has been thus far from a licensing revenue perspective for the authors and the connected cyber criminals.

A screenshot of a forum post detailing the cost of a license for renting Cerberus
Figure 2. A screenshot of a forum post detailing the cost of a license for renting Cerberus

The actors behind the Cerberus malware-as-a-service advertise on Twitter to showcase their product. Their twitter account @AndroidCerberus was created in June 2019, the same month they advertised the malware on XSS[.]is. The Twitter account has posts showing the Cerberus Admin panel with test APK infections and an injects list providing examples of potential victims. They have also developed an APK builder and an inject generator for the threat actor’s convenience. The actors Twitter account also states that their starter kits come prepackaged with injections for USA, France, Turkey and Italy. From one of the samples Anomali Threat Research analysed, the injections spanned targets across 16 countries (Figure 17). Figures 3 and 4 show screenshots of the admin panel, and which also show a version number for the bot of: 1.5.0.9.

Screenshot of the Cerberus admin panel
Figure 3. Screenshot of the Cerberus admin panel

Screenshot of an injects list on offer for Cerberus
Figure 4. Screenshot of an injects list on offer for Cerberus

The Cerberus Twitter account (@AndroidCerberus) shows that they are claiming to be from Ukraine. In the XSS.is posts and in the groups twitter posts they have communicated several forms of contact information.

Jabber addresses:

  • androidsupport@thesecure.biz
  • androiddev@thesecure.biz
  • Androidsupport2@thesecure.biz

Anomali Threat Research undertook an extensive reverse image search of the Twitter profile picture but found nothing of substance to further attribute or pivot.

Screenshot from a Twitter post showing Cerberus APK builder
Figure 5. Screenshot from a Twitter post showing Cerberus APK builder

Screenshot of the Cerberus inject generator which targets the bitcoin wallet and exchange service organisation Coincheck
Figure 6. Screenshot of the Cerberus inject generator which targets the bitcoin wallet and exchange service organisation Coincheck

Analysis

The Cerberus authors have listed the following as features of their Android information stealing trojan:

  • Sending SMS
  • Interception SMS
  • Hidden interception of SMS
  • Device lock
  • Mute sound
  • Keylogger (messengers, WhatsApp, telegram secret, banks, etc., except browsers!)
  • Execution of USSD commands
  • Call forwarding
  • Opening the fake page of the bank
  • Run any installed application
  • Push Bank Notification (Auto Push – determines which bank is installed)
  • Open url in browser
  • Get all installed applications
  • Get all the contacts of their phone book
  • Get all saved SMS
  • Remove any application
  • Self-destruct bot
  • Automatic confirmation of rights and permissions
  • A bot can have several spare url to connect to the server
  • Injects (html + js + css, download to the device and run from disk, poor connection or lack of internet will not affect the operation of injects)
  • Grabber cards
  • Grabber mail
  • Automatic inclusion of injections through the time specified in the admin panel
  • Automatically shut off Google Play Protect + disconnect after the time specified in the admin panel
  • Anti-emulator (Bot starts working after device activity)

Anomali Threat Research undertook analysis and upon decompilation (92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0) the Cerberus APK defined the C2 information within the “settings.xml” file.

Screenshot of “settings.xml” Cerberus sample
Figure 7. Screenshot of “settings.xml” Cerberus sample

The APK calls out to the following domains:

  • brickgeld24k[.]su
  • brickgeld25sk[.]su
  • brickgeld001kz[.]su
  • brickgeld049ik[.]su

brickgeld24k[.]su resolves to the IP address 161.117.85[.]153 (AS 45102 – Alibaba (China) Technology Co., Ltd.), the domain was registered on the 8th of September 2019. The other C2 domains did not resolve at the time of analysis.

Anomali ThreatStream exploration of the brickgeld24k[.]su indicator
Figure 8. Anomali ThreatStream exploration of the brickgeld24k[.]su indicator

The following (Figure 9) displays captured Cerberus code snippets which were further analysed. The depicted functionality below shows the SMS functionality which would be of high Cerberus operator value for those victims who use SMS as part of their banking multi-factor authentication.

Code snippet of keylogged information being placed into a JSON object
Figure 9. Code snippet of keylogged information being placed into a JSON object

Sample SMS exfiltration
Figure 10. Sample SMS exfiltration

Targeting

From the samples that were analysed, the overwhelming majority of crafted overlays observed were targeting banking organisations. E-Commerce, FinTech and Telecommunication overlays were also found (Figure 11). These spanned organisations across the globe (Figure 12).

Sectors targeted from the overlay data inspected
Figure 11. Sectors targeted from the overlay data inspected

Corporate headquarter location of those organisations targeted
Figure 12. Corporate headquarter location of those organisations targeted

Concluding Remarks

As reported in the Crimeware In The Modern Era report, crimeware risk is underestimated, enduring, and is a cornerstone in the financially motivated threat actor toolset[4]. Anomali and our research partner from the financial sector who conducted this analysis, observe that cyber threat actors continue to be relentless and innovative when it comes to how they target and attack the financial industry. Cerberus is another iteration in the diverse Android banking trojan arena, as threats in the mobile space continue to grow year-over-year[5].

Anomali recommend the following guidelines for all mobile device users:

  • Always be wary of unsolicited communications, email or SMS (text), and their attachments and links. Seek to validate the authenticity of the message by contacting the sender or sender organisation via a verified phone number of contact email address.
  • Only download applications from trusted sources. The vast majority of malicious applications originate from third-party sources. Official application repositories are not immune from malicious applications, however the risk is somewhat limited as the Apple App Store and Google Play Store undertake verification on the apps they host.
  • Stay up-to-date with security patches. Patching is one of the most important steps to securing your technology.
  • Employ good physical security hygiene practices with your mobile device; set a strong password or use biometric authentication. Do not leave your device unattended in public. Consider the type and volume of data which is stored on your device.
  • If you suspect an application is malicious, you can report these via the official channels here:

The full Anomali Threat Research analysis of Cerberus can be viewed within Anomali ThreatStream.

https://attack.mitre.org/matrices/mobile/android/

Endnotes:

[1] ThreatFabric, “Cerberus – A new banking Trojan from the underworld”, accessed October 31, 2019, published June, 2019, https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html.

[2] Insights, “The Dark Side of Russia; How New Internet Laws and Nationalism Fuel Russian Cybercrime”, accessed October 31, 2019, published unknown, https://wow.intsights.com/rs/071-ZWD-900/images/DarkSideofRussia.pdf.

[3] Photon Research Team, “Dark Web Monitoring: The Good, The Bad, and The Ugly”, Digital Shadows, accessed October 31, 2019, published September 11, 2019, https://www.digitalshadows.com/blog-and-research/dark-web-monitoring-the-good-the-bad-and-the-ugly/.

[4] Brandon Levene, “Crimeware in the Modern Era: A Cost We Cannot Ignore”, accessed November 1, 2019, published September 5, 2019, https://github.com/Blevene/Crimeware-In-The-Modern-Era

[5] Symantec, “Internet Security Threat Report Volume 23”, accessed October 30, 2019, published, published March 20, 2018, https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf

Appendix A – Indicators of Compromise

Indicator of Compromise Description
92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0 SHA-256 Hash for Cerberus sample using FlashPlayer
728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f SHA-256 Hash for Cerberus sample
92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0 SHA-256 Hash for Cerberus sample
ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c SHA-256 Hash for Cerberus sample
e40e0b51870322cc8ca983952500b27ef6c016569c107d8322b5beab09001f9c SHA-256 Hash for Cerberus sample
241db5543e0454e883386fe81dcfd164a4e55ba2e529ec342a19d32a0709a4e6 SHA-256 Hash for Cerberus sample
6edbacc114d1fbcb40d0dd2dc3344972f1187f5b892897ac688aafaa61e64597 SHA-256 Hash for Cerberus sample
3b1f996f49441fcbcd107eb78b77647f36e9f6a96bc4dff790c3735124b47f8e SHA-256 Hash for Cerberus sample
81019292b1b56452198e1dacbc7092fd79880f7c55890590b5ef419fd1cca9f5 SHA-256 Hash for Cerberus sample
638f932f9aa35e5fa1ac13888651e2bc087021c1378624824d9a614913243c4d SHA-256 Hash for Cerberus sample
27b24b79818f606cc3dd03ef56cdac30899fadd08bcd881f03d196297e1e9a2f SHA-256 Hash for Cerberus sample
5f3b61c80c1e0b0a3804e2cf80c1d0874a69057c6d2e1835c6a774cda78902de SHA-256 Hash for Cerberus sample
6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4 SHA-256 Hash for Cerberus sample
728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f SHA-256 Hash for Cerberus sample using FlashPlayer – As pointed out in ThreatFabric report
ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c SHA-256 Hash for Cerberus sample using FlashPlayer – As pointed out in ThreatFabric report
6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4 SHA-256 Hash for Cerberus sample using FlashPlayer – As pointed out in ThreatFabric report
fe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329 SHA-256 Hash for Cerberus sample using FlashPlayer – As pointed out in ThreatFabric report
cfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b SHA-256 Hash for Cerberus sample using FlashPlayer – As pointed out in ThreatFabric report
3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63 SHA-256 Hash for Cerberus sample using FlashPlayer – As pointed out in ThreatFabric report
http://brickgeld24k[.]su C2 for sample 92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0
http://brickgeld25sk[.]su C2 for sample 92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0
http://brickgeld001kz[.]su C2 for sample 92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0
http://brickgeld049ik[.]su C2 for sample 92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0
@AndroidCerberus Twitter handle for the suspected Cerberus operators
androidsupport@thesecure.biz Jabber address for the Cerberus operators
androiddev@thesecure.biz Jabber address for the Cerberus operators
Androidsupport2@thesecure.biz Jabber address for the Cerberus operators
Anomali Labs

About the Author

Anomali Labs