The Cerberus Android banking trojan, which gained notoriety in 2019 for its ability to target financial and social media apps, has continued to evolve and spread through various forks and variants.
Recent research has uncovered a new campaign, dubbed ErrorFather, which leverages the Cerberus source code and utilizes a multi-stage dropper mechanism to deploy the banking trojan payload.
The ErrorFather campaign, detected in September 2024, has seen a significant increase in malicious samples in recent weeks, indicating ongoing activity and the potential for widespread harm to unsuspecting users.
The malware utilizes a multi-stage dropping technique, where the first-stage dropper installs a second-stage dropper from its assets using a session-based installation.
While the second-stage dropper is packed and relies on a native library (libmcfae.so) to decrypt and load the final payload. The final payload, decrypted.dex, contains malicious functionalities like keylogging, overlay attacks, and remote access capabilities.
The ErrorFather campaign utilized a modified version of the Cerberus banking trojan, which it disguised through obfuscation and code reorganization.
While initially detected as a new banking trojan based on its detection count, deeper analysis revealed strong code similarities with Cerberus, particularly in its shared preference settings and structure.
However, the C&C structure of the ErrorFather variant differed from the original Cerberus and the more recent Phoenix botnet, indicating a unique evolution of the malware.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)
The malware retrieves C&C server lists using two methods: statically from a primary C&C server and dynamically using a DGA, which generates domains based on the current Istanbul time using MD5 and SHA-1 hashing and appends one of four extensions.
When the primary C&C server is unavailable, the malware attempts to connect to the generated domains, which was also observed in the Alien malware, but with variations in domain extension and lack of a static list.
It performs various actions, including sending device information, retrieving and storing data from the server, and capturing screen images for VNC functionality by leveraging accessibility services to gather sensitive data like keystrokes and contacts and sends error logs to the C&C server.
The malware also checks for registered users and sends device status updates, indicating its continuous monitoring and control over the infected device.
The Cerberus malware employs an overlay attack to deceive victims into entering sensitive information and identifies potential targets by sending a list of installed applications. Once a target is found, the malware receives the corresponding HTML injection page.
When the victim interacts with the target app, the malware overlays a fake phishing page, tricking the victim into divulging login credentials and credit card details, which enables the malware to carry out financial fraud.
According to the CRIL, the ErrorFather campaign, a Cerberus-based banking Trojan, leverages VNC, keylogging, and HTML injection to steal financial information.
Despite being older malware, the modified Cerberus has evaded detection, where cybercriminals continue to repurpose leaked malware source code, highlighting the ongoing threat of Cerberus-based attacks.