Cyble researchers have detected a sophisticated new variant of the Cerberus Android banking trojan that successfully evaded detection by antivirus engines.
The researchers have dubbed the new malware variant “ErrorFather,” named for the Telegram bot the malware communicates with. The new Cerberus variant uses a multi-stage dropper to deploy its payload and can carry out financial fraud through remote attacks, keylogging, and overlay attacks.
“The ErrorFather campaign exemplifies how cybercriminals continue to repurpose and exploit leaked malware source code, underscoring the persistent threat of Cerberus-based attacks even years after the original malware’s discovery,” the researchers said.
New Cerberus Variant Evades Detection
The Cerberus Android banking trojan was first identified in 2019, and after the source code was leaked, variations emerged such as Alien, ERMAC, and Phoenix that continued to be used by threat actors for financial fraud using VNC, keylogging, and overlay attacks.
The ErrorFather campaign continues the pattern of “forking” Cerberus code. While the threat actor behind ErrorFather has slightly modified the malware, “it remains primarily based on the original Cerberus code, making it inappropriate to classify it as entirely new malware,” the researchers from Cyble Research and Intelligence Labs (CRIL) wrote.
Despite being based on an older malware strain, “the modified Cerberus used in this campaign has successfully evaded detection by antivirus engines, further highlighting the ongoing risks posed by retooled malware from previous leaks,” they wrote.
‘ErrorFather’ Poses as Chrome and Play Store Apps
The researchers recently uncovered several malicious samples posing as Chrome and Play Store apps. These samples used a multi-stage dropper to deploy a banking trojan payload.
The identified sample – 0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7 – acts as an initial dropper application to install the signed Android Package Kit (.apk) file, communicates with the Telegram Bot and sends the device model, brand, and API version.
The researchers said they have identified about 15 samples use in the campaign, including session-based droppers and their payloads. The first sample was detected in mid-September, followed by a noticeable increase during the first week of October, with an active Command and Control (C2) server “suggesting ongoing campaigns.”
The second-stage APK file is named “final-signed.apk” within the assets folder. It uses the Google Play Store icon and uses “a session-based installation technique to install the APK from the assets, bypassing restricted settings.”
That second-stage dropper has a manifest file that requests “dangerous” permissions and services, but is missing the code implementation, which is delivered through a native file, “libmcfae.so,” that is immediately loaded after installation to decrypt and execute the final payload.
The native file uses the encrypted file “rbyypivsnw.png” and obtains the AES key and initialization vector, performs decryption, and loads the “decrypted.dex” file at the location /data/data/suds.expend.affiliate.rising/code_cache/.
The decrypted.dex file is the final payload, containing malicious capabilities that include keylogging, overlay attacks, VNC, PII collection, and the use of a Domain Generation Algorithm (DGA) to create a Command and Control server. “Notably, when submitted to VirusTotal, the decrypted.dex file was not flagged by any antivirus engine,” the researchers said (image below).
The threat actor behind ErrorFather had modified Cerberus variable names, used more obfuscation, and reorganized the code, “effectively evading detection despite Cerberus being identified in 2019.”
The Domain Generation Algorithm uses the Istanbul timezone to obtain the current date and time, perhaps hinting at one origin of the campaign.
Cyble researchers included a list of 16 actions performed by the malware, plus MITRE ATT&CK techniques and indicators of compromise (IoCs).
The overlay technique is unchanged from earlier variants. Once targets are identified, the malware uses the “getFile” action to retrieve the HTML web injection page. When the victim interacts with the target application, the malware loads a fake phishing page over the legitimate app. “This tricks the victim into entering their login credentials and credit card details on the fraudulent banking overlay page,” the researchers said.
