Leashing Cerberus

<h2>Overview</h2>Cerberus is an Android banking trojan first reported on by ThreatFabric in June 2019 that may have been active since at least 2017. The malware is for sale on a Russian hacking forum called xss[.]is where the actors behind its development are selling licenses for the service from $4000 - $12000. This new malware-as-a-service may have filled the void for actors who require Android malware rental services like Anubis and Red Alert which have ceased to exist. ThreatFabric analysts point out that the malware activates when victims move around, triggering the accelerometer inside the device. Cerberus lies dormant until the pedometer (measuring step count) reaches a certain amount of steps. It also alters the lure depending on the Android package name, capturing banking details or mail credentials. Cerberus does not share code with Anubis or other Android banking trojans and appears to have been newly written[1].Anomali Threat Research (ATR) in joint partnership with the Information Security function within a major European Financial Institution, have undertaken analysis on Cerberus in an effort to complement the existing findings which have been presented by others in the community, and to further help defenders in understanding the threat and capability of this Android banking trojan.<h2>Malware-as-a-Service</h2>Cerberus is being sold in the Russian hacking forum XSS[.]is. The forum was created in 2018 and is the new version of DaMaGeLab[.]org[2]; a previously well known hacking forum run by the founders of Exploit[.]in[3]. A member of the hacking forum XSS[.]is going by the name of Android, has a Premium account and is shown in Figure 1 advertising access to the Cerberus Android bot. The Cerberus malware is named after the Greek, three headed, mythological creature which guards the entrance of the underworld ruled by Hades.<img alt="A screenshot of the Cerberus Advertisement post made on June 23rd 2019" src="https://cdn.filestackcontent.com/x6GRoRGVR6i0z7Vwe7jP"/> Figure 1. A screenshot of the Cerberus Advertisement post made on June 23rd 2019The advert shown in Figure 2 is selling licenses for Cerberus from $4000 depending on how long customers wish to have it for. As shown in Figure 2 the cost for each license is as follows:<ul><li>3 months - $4,000,</li><li>6 months - $7,000,</li><li>12 months - $12,000</li></ul>It is unknown as to how profitable Cerberus has been thus far from a licensing revenue perspective for the authors and the connected cyber criminals.<img alt="A screenshot of a forum post detailing the cost of a license for renting Cerberus" src="https://cdn.filestackcontent.com/SjEPV1zmQy2fKBaOIalL"/> Figure 2. A screenshot of a forum post detailing the cost of a license for renting CerberusThe actors behind the Cerberus malware-as-a-service advertise on Twitter to showcase their product. Their twitter account @AndroidCerberus was created in June 2019, the same month they advertised the malware on XSS[.]is. The Twitter account has posts showing the Cerberus Admin panel with test APK infections and an injects list providing examples of potential victims. They have also developed an APK builder and an inject generator for the threat actor’s convenience. The actors Twitter account also states that their starter kits come prepackaged with injections for USA, France, Turkey and Italy. From one of the samples Anomali Threat Research analysed, the injections spanned targets across 16 countries (Figure 17). Figures 3 and 4 show screenshots of the admin panel, and which also show a version number for the bot of: 1.5.0.9.<img alt="Screenshot of the Cerberus admin panel" src="https://cdn.filestackcontent.com/HFwVxq8GQFq1NUTNnDrq"/> Figure 3. Screenshot of the Cerberus admin panel<img alt="Screenshot of an injects list on offer for Cerberus" src="https://cdn.filestackcontent.com/4o6e11lrTXKd1Xccg7Bu"/> Figure 4. Screenshot of an injects list on offer for CerberusThe Cerberus Twitter account (@AndroidCerberus) shows that they are claiming to be from Ukraine. In the XSS.is posts and in the groups twitter posts they have communicated several forms of contact information.Jabber addresses:<ul><li>androidsupport@thesecure.biz</li><li>androiddev@thesecure.biz</li><li>Androidsupport2@thesecure.biz</li></ul>Anomali Threat Research undertook an extensive reverse image search of the Twitter profile picture but found nothing of substance to further attribute or pivot.<img alt="Screenshot from a Twitter post showing Cerberus APK builder" src="https://cdn.filestackcontent.com/gBHZIiDZQfSSyiJNy9cW"/> Figure 5. Screenshot from a Twitter post showing Cerberus APK builder<img alt="Screenshot of the Cerberus inject generator which targets the bitcoin wallet and exchange service organisation Coincheck " src="https://cdn.filestackcontent.com/D1QbFfqSzGxT2jXyqB0g"/> Figure 6. Screenshot of the Cerberus inject generator which targets the bitcoin wallet and exchange service organisation Coincheck<h2>Analysis</h2>The Cerberus authors have listed the following as features of their Android information stealing trojan:<ul><li>Sending SMS</li><li>Interception SMS</li><li>Hidden interception of SMS</li><li>Device lock</li><li>Mute sound</li><li>Keylogger (messengers, WhatsApp, telegram secret, banks, etc., except browsers!)</li><li>Execution of USSD commands</li><li>Call forwarding</li><li>Opening the fake page of the bank</li><li>Run any installed application</li><li>Push Bank Notification (Auto Push - determines which bank is installed)</li><li>Open url in browser</li><li>Get all installed applications</li><li>Get all the contacts of their phone book</li><li>Get all saved SMS</li><li>Remove any application</li><li>Self-destruct bot</li><li>Automatic confirmation of rights and permissions</li><li>A bot can have several spare url to connect to the server</li><li>Injects (html + js + css, download to the device and run from disk, poor connection or lack of internet will not affect the operation of injects)</li><li>Grabber cards</li><li>Grabber mail</li><li>Automatic inclusion of injections through the time specified in the admin panel</li><li>Automatically shut off Google Play Protect + disconnect after the time specified in the admin panel</li><li>Anti-emulator (Bot starts working after device activity)</li></ul>Anomali Threat Research undertook analysis and upon decompilation (92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0) the Cerberus APK defined the C2 information within the “settings.xml” file.<img alt="Screenshot of “settings.xml” Cerberus sample" src="https://cdn.filestackcontent.com/mSADI7MRVGh3TMra1mxU"/> Figure 7. Screenshot of “settings.xml” Cerberus sampleThe APK calls out to the following domains:<ul><li>brickgeld24k[.]su</li><li>brickgeld25sk[.]su</li><li>brickgeld001kz[.]su</li><li>brickgeld049ik[.]su</li></ul>brickgeld24k[.]su resolves to the IP address 161.117.85[.]153 (AS 45102 - Alibaba (China) Technology Co., Ltd.), the domain was registered on the 8th of September 2019. The other C2 domains did not resolve at the time of analysis.<img alt="Anomali ThreatStream exploration of the brickgeld24k[.]su indicator" src="https://cdn.filestackcontent.com/tDjtTjCCRSBDd4SqJKe0"/> Figure 8. Anomali ThreatStream exploration of the brickgeld24k[.]su indicatorThe following (Figure 9) displays captured Cerberus code snippets which were further analysed. The depicted functionality below shows the SMS functionality which would be of high Cerberus operator value for those victims who use SMS as part of their banking multi-factor authentication.<img alt="Code snippet of keylogged information being placed into a JSON object" src="https://cdn.filestackcontent.com/Sf0P614zQY6KwwVkGjjp"/> Figure 9. Code snippet of keylogged information being placed into a JSON object<img alt="Sample SMS exfiltration" src="https://cdn.filestackcontent.com/6D6HmZnUS4WLEPEmhUMw"/> Figure 10. Sample SMS exfiltration<h2>Targeting</h2>From the samples that were analysed, the overwhelming majority of crafted overlays observed were targeting banking organisations. E-Commerce, FinTech and Telecommunication overlays were also found (Figure 11). These spanned organisations across the globe (Figure 12).<img alt="Sectors targeted from the overlay data inspected" src="https://cdn.filestackcontent.com/zNxGU0UXQ4iuQHTJV1sg"/> Figure 11. Sectors targeted from the overlay data inspected<img alt="Corporate headquarter location of those organisations targeted" src="https://cdn.filestackcontent.com/aZUl721lS5TOlKOePhLg"/> Figure 12. Corporate headquarter location of those organisations targeted<h2>Concluding Remarks</h2>As reported in the Crimeware In The Modern Era report, crimeware risk is underestimated, enduring, and is a cornerstone in the financially motivated threat actor toolset[4]. Anomali and our research partner from the financial sector who conducted this analysis, observe that cyber threat actors continue to be relentless and innovative when it comes to how they target and attack the financial industry. Cerberus is another iteration in the diverse Android banking trojan arena, as threats in the mobile space continue to grow year-over-year[5].Anomali recommend the following guidelines for all mobile device users:<ul><li>Always be wary of unsolicited communications, email or SMS (text), and their attachments and links. Seek to validate the authenticity of the message by contacting the sender or sender organisation via a verified phone number of contact email address.</li><li>Only download applications from trusted sources. The vast majority of malicious applications originate from third-party sources. Official application repositories are not immune from malicious applications, however the risk is somewhat limited as the Apple App Store and Google Play Store undertake verification on the apps they host.</li><li>Stay up-to-date with security patches. Patching is one of the most important steps to securing your technology.</li><li>Employ good physical security hygiene practices with your mobile device; set a strong password or use biometric authentication. Do not leave your device unattended in public. Consider the type and volume of data which is stored on your device.</li><li>If you suspect an application is malicious, you can report these via the official channels here:<ul><li>Apple Support: <a href="https://getsupport.apple.com/" target="_blank">https://getsupport.apple.com/</a></li><li>Google Play Content: <a href="https://support.google.com/googleplay/android-developer/contact/takedown" target="_blank">https://support.google.com/googleplay/android-developer/contact/takedown</a></li></ul></li></ul>The full Anomali Threat Research analysis of Cerberus can be viewed within Anomali ThreatStream.<ul><li><a href="https://www.google.com/url?q=https://attack.mitre.org/techniques/T1432/&sa=D&ust=1573488409705000" target="_blank">T1432 Access Contact List</a></li><li><a href="https://www.google.com/url?q=https://attack.mitre.org/techniques/T1517/&sa=D&ust=1573488409705000" target="_blank">T1517 Access Notifications</a></li><li><a href="https://www.google.com/url?q=https://attack.mitre.org/techniques/T1417/&sa=D&ust=1573488409706000" target="_blank">T1417 Input Capture</a></li><li><a href="https://www.google.com/url?q=https://attack.mitre.org/techniques/T1430/&sa=D&ust=1573488409706000" target="_blank">T1430 Location Tracking</a></li><li><a href="https://www.google.com/url?q=https://attack.mitre.org/techniques/T1412/&sa=D&ust=1573488409706000" target="_blank">T1412 Capture SMS Messages</a></li><li><a href="https://www.google.com/url?q=https://attack.mitre.org/techniques/T1001/&sa=D&ust=1573488409707000" target="_blank">T1001 Data Obfuscation</a></li><li><a href="https://www.google.com/url?q=https://attack.mitre.org/techniques/T1461/&sa=D&ust=1573488409707000" target="_blank">T1461 Lockscreen Bypass</a></li><li><a href="https://www.google.com/url?q=https://attack.mitre.org/techniques/T1476/&sa=D&ust=1573488409707000" target="_blank">T1476 Deliver Malicious App via Other Means</a></li><li><a href="https://www.google.com/url?q=https://attack.mitre.org/techniques/T1402/&sa=D&ust=1573488409708000" target="_blank">T1402 App Auto-Start at Device Boot</a></li><li><a href="https://www.google.com/url?q=https://attack.mitre.org/techniques/T1268/&sa=D&ust=1573488409708000" target="_blank">T1268 Social Engineering</a></li><li><a href="https://www.google.com/url?q=https://attack.mitre.org/techniques/T1433&sa=D&ust=1573488409708000" target="_blank">T1433 Access Call Log</a></li><li><a href="https://www.google.com/url?q=https://attack.mitre.org/techniques/T1532/&sa=D&ust=1573488409709000" target="_blank">T1532 Data Encrypted</a></li><li><a href="https://www.google.com/url?q=https://attack.mitre.org/techniques/T1523/&sa=D&ust=1573488409709000" target="_blank">T1523 Evade Analysis Environment</a></li><li><a href="https://www.google.com/url?q=https://attack.mitre.org/techniques/T1411/&sa=D&ust=1573488409709000" target="_blank">T1411 Input Prompt</a></li><li><a href="https://www.google.com/url?q=https://attack.mitre.org/techniques/T1406/&sa=D&ust=1573488409710000" target="_blank">T1406 Obfuscated Files or Information</a></li><li><a href="https://www.google.com/url?q=https://attack.mitre.org/techniques/T1418&sa=D&ust=1573488409710000" target="_blank">T1418 Application Discovery</a></li><li><a href="https://www.google.com/url?q=https://attack.mitre.org/techniques/T1426/&sa=D&ust=1573488409710000" target="_blank">T1426 System Information Discovery</a></li></ul><a href="https://attack.mitre.org/matrices/mobile/android/" target="_blank">https://attack.mitre.org/matrices/mobile/android/</a><h2>Endnotes:</h2>[1] ThreatFabric, “Cerberus - A new banking Trojan from the underworld”, accessed October 31, 2019, published June, 2019, <a href="https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html" target="_blank">https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html</a>.[2] Insights, “The Dark Side of Russia; How New Internet Laws and Nationalism Fuel Russian Cybercrime”, accessed October 31, 2019, published unknown, <a href="https://wow.intsights.com/rs/071-ZWD-900/images/DarkSideofRussia.pdf" target="_blank">https://wow.intsights.com/rs/071-ZWD-900/images/DarkSideofRussia.pdf</a>.[3] Photon Research Team, “Dark Web Monitoring: The Good, The Bad, and The Ugly”, Digital Shadows, accessed October 31, 2019, published September 11, 2019, <a href="https://www.digitalshadows.com/blog-and-research/dark-web-monitoring-the-good-the-bad-and-the-ugly/" target="_blank">https://www.digitalshadows.com/blog-and-research/dark-web-monitoring-the-good-the-bad-and-the-ugly/</a>.[4] Brandon Levene, “Crimeware in the Modern Era: A Cost We Cannot Ignore”, accessed November 1, 2019, published September 5, 2019, <a href="https://github.com/Blevene/Crimeware-In-The-Modern-Era" target="_blank">https://github.com/Blevene/Crimeware-In-The-Modern-Era</a>[5] Symantec, “Internet Security Threat Report Volume 23”, accessed October 30, 2019, published, published March 20, 2018, <a href="https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf" target="_blank">https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf</a><h2>Appendix A - Indicators of Compromise</h2><table class="table table-striped" style="table-layout: fixed;"><tbody><tr><th style="word-wrap: break-word;">Indicator of Compromise</th><th style="word-wrap: break-word;">Description</th></tr><tr><td style="word-wrap: break-word;">92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample using FlashPlayer</td></tr><tr><td style="word-wrap: break-word;">728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample</td></tr><tr><td style="word-wrap: break-word;">92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample</td></tr><tr><td style="word-wrap: break-word;">ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample</td></tr><tr><td style="word-wrap: break-word;">e40e0b51870322cc8ca983952500b27ef6c016569c107d8322b5beab09001f9c</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample</td></tr><tr><td style="word-wrap: break-word;">241db5543e0454e883386fe81dcfd164a4e55ba2e529ec342a19d32a0709a4e6</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample</td></tr><tr><td style="word-wrap: break-word;">6edbacc114d1fbcb40d0dd2dc3344972f1187f5b892897ac688aafaa61e64597</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample</td></tr><tr><td style="word-wrap: break-word;">3b1f996f49441fcbcd107eb78b77647f36e9f6a96bc4dff790c3735124b47f8e</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample</td></tr><tr><td style="word-wrap: break-word;">81019292b1b56452198e1dacbc7092fd79880f7c55890590b5ef419fd1cca9f5</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample</td></tr><tr><td style="word-wrap: break-word;">638f932f9aa35e5fa1ac13888651e2bc087021c1378624824d9a614913243c4d</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample</td></tr><tr><td style="word-wrap: break-word;">27b24b79818f606cc3dd03ef56cdac30899fadd08bcd881f03d196297e1e9a2f</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample</td></tr><tr><td style="word-wrap: break-word;">5f3b61c80c1e0b0a3804e2cf80c1d0874a69057c6d2e1835c6a774cda78902de</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample</td></tr><tr><td style="word-wrap: break-word;">6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample</td></tr><tr><td style="word-wrap: break-word;">728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample using FlashPlayer - As pointed out in ThreatFabric report</td></tr><tr><td style="word-wrap: break-word;">ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample using FlashPlayer - As pointed out in ThreatFabric report</td></tr><tr><td style="word-wrap: break-word;">6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample using FlashPlayer - As pointed out in ThreatFabric report</td></tr><tr><td style="word-wrap: break-word;">fe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample using FlashPlayer - As pointed out in ThreatFabric report</td></tr><tr><td style="word-wrap: break-word;">cfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample using FlashPlayer - As pointed out in ThreatFabric report</td></tr><tr><td style="word-wrap: break-word;">3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63</td><td style="word-wrap: break-word;">SHA-256 Hash for Cerberus sample using FlashPlayer - As pointed out in ThreatFabric report</td></tr><tr><td style="word-wrap: break-word;">http://brickgeld24k[.]su</td><td style="word-wrap: break-word;">C2 for sample 92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0</td></tr><tr><td style="word-wrap: break-word;">http://brickgeld25sk[.]su</td><td style="word-wrap: break-word;">C2 for sample 92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0</td></tr><tr><td style="word-wrap: break-word;">http://brickgeld001kz[.]su</td><td style="word-wrap: break-word;">C2 for sample 92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0</td></tr><tr><td style="word-wrap: break-word;">http://brickgeld049ik[.]su</td><td style="word-wrap: break-word;">C2 for sample 92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0</td></tr><tr><td style="word-wrap: break-word;">@AndroidCerberus</td><td style="word-wrap: break-word;">Twitter handle for the suspected Cerberus operators</td></tr><tr><td style="word-wrap: break-word;">androidsupport@thesecure.biz</td><td style="word-wrap: break-word;">Jabber address for the Cerberus operators</td></tr><tr><td style="word-wrap: break-word;">androiddev@thesecure.biz</td><td style="word-wrap: break-word;">Jabber address for the Cerberus operators</td></tr><tr><td style="word-wrap: break-word;">Androidsupport2@thesecure.biz</td><td style="word-wrap: break-word;">Jabber address for the Cerberus operators</td></tr></tbody></table><a class="button button-xlarge button-rounded button-blue-grad" href="https://www.anomali.com/resources/whitepapers/leashing-cerebus-anomali-threat-research" target="_blank">Download the Report</a>