Leashing Cerberus

Overview

Cerberus is an Android banking trojan first reported on by ThreatFabric in June 2019 that may have been active since at least 2017. The malware is for sale on a Russian hacking forum called xss[.]is where the actors behind its development are selling licenses for the service from $4000 - $12000. This new malware-as-a-service may have filled the void for actors who require Android malware rental services like Anubis and Red Alert which have ceased to exist. ThreatFabric analysts point out that the malware activates when victims move around, triggering the accelerometer inside the device. Cerberus lies dormant until the pedometer (measuring step count) reaches a certain amount of steps. It also alters the lure depending on the Android package name, capturing banking details or mail credentials. Cerberus does not share code with Anubis or other Android banking trojans and appears to have been newly written^[1].

Anomali Threat Research (ATR) in joint partnership with the Information Security function within a major European Financial Institution, have undertaken analysis on Cerberus in an effort to complement the existing findings which have been presented by others in the community, and to further help defenders in understanding the threat and capability of this Android banking trojan.

Malware-as-a-Service

Cerberus is being sold in the Russian hacking forum XSS[.]is. The forum was created in 2018 and is the new version of DaMaGeLab[.]org^[2]; a previously well known hacking forum run by the founders of Exploit[.]in^[3]. A member of the hacking forum XSS[.]is going by the name of Android, has a Premium account and is shown in Figure 1 advertising access to the Cerberus Android bot. The Cerberus malware is named after the Greek, three headed, mythological creature which guards the entrance of the underworld ruled by Hades.

Figure 1. A screenshot of the Cerberus Advertisement post made on June 23rd 2019

The advert shown in Figure 2 is selling licenses for Cerberus from $4000 depending on how long customers wish to have it for. As shown in Figure 2 the cost for each license is as follows:

• 3 months - $4,000,
• 6 months - $7,000,
• 12 months - $12,000

It is unknown as to how profitable Cerberus has been thus far from a licensing revenue perspective for the authors and the connected cyber criminals.

Figure 2. A screenshot of a forum post detailing the cost of a license for renting Cerberus

The actors behind the Cerberus malware-as-a-service advertise on Twitter to showcase their product. Their twitter account @AndroidCerberus was created in June 2019, the same month they advertised the malware on XSS[.]is. The Twitter account has posts showing the Cerberus Admin panel with test APK infections and an injects list providing examples of potential victims. They have also developed an APK builder and an inject generator for the threat actor’s convenience. The actors Twitter account also states that their starter kits come prepackaged with injections for USA, France, Turkey and Italy. From one of the samples Anomali Threat Research analysed, the injections spanned targets across 16 countries (Figure 17). Figures 3 and 4 show screenshots of the admin panel, and which also show a version number for the bot of: 1.5.0.9.

Figure 3. Screenshot of the Cerberus admin panel

Figure 4. Screenshot of an injects list on offer for Cerberus

The Cerberus Twitter account (@AndroidCerberus) shows that they are claiming to be from Ukraine. In the XSS.is posts and in the groups twitter posts they have communicated several forms of contact information.

Jabber addresses:

• androidsupport@thesecure.biz
• androiddev@thesecure.biz
• Androidsupport2@thesecure.biz

Anomali Threat Research undertook an extensive reverse image search of the Twitter profile picture but found nothing of substance to further attribute or pivot.

Figure 5. Screenshot from a Twitter post showing Cerberus APK builder

Figure 6. Screenshot of the Cerberus inject generator which targets the bitcoin wallet and exchange service organisation Coincheck

Analysis

The Cerberus authors have listed the following as features of their Android information stealing trojan:

• Sending SMS
• Interception SMS
• Hidden interception of SMS
• Device lock
• Mute sound
• Keylogger (messengers, WhatsApp, telegram secret, banks, etc., except browsers!)
• Execution of USSD commands
• Call forwarding
• Opening the fake page of the bank
• Run any installed application
• Push Bank Notification (Auto Push - determines which bank is installed)
• Open url in browser
• Get all installed applications
• Get all the contacts of their phone book
• Get all saved SMS
• Remove any application
• Self-destruct bot
• Automatic confirmation of rights and permissions
• A bot can have several spare url to connect to the server
• Injects (html + js + css, download to the device and run from disk, poor connection or lack of internet will not affect the operation of injects)
• Grabber cards
• Grabber mail
• Automatic inclusion of injections through the time specified in the admin panel
• Automatically shut off Google Play Protect + disconnect after the time specified in the admin panel
• Anti-emulator (Bot starts working after device activity)

Anomali Threat Research undertook analysis and upon decompilation (92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0) the Cerberus APK defined the C2 information within the “settings.xml” file.

Figure 7. Screenshot of “settings.xml” Cerberus sample

The APK calls out to the following domains:

• brickgeld24k[.]su
• brickgeld25sk[.]su
• brickgeld001kz[.]su
• brickgeld049ik[.]su

brickgeld24k[.]su resolves to the IP address 161.117.85[.]153 (AS 45102 - Alibaba (China) Technology Co., Ltd.), the domain was registered on the 8th of September 2019. The other C2 domains did not resolve at the time of analysis.

Figure 8. Anomali ThreatStream exploration of the brickgeld24k[.]su indicator

The following (Figure 9) displays captured Cerberus code snippets which were further analysed. The depicted functionality below shows the SMS functionality which would be of high Cerberus operator value for those victims who use SMS as part of their banking multi-factor authentication.

Figure 9. Code snippet of keylogged information being placed into a JSON object

Figure 10. Sample SMS exfiltration

Targeting

From the samples that were analysed, the overwhelming majority of crafted overlays observed were targeting banking organisations. E-Commerce, FinTech and Telecommunication overlays were also found (Figure 11). These spanned organisations across the globe (Figure 12).

Figure 11. Sectors targeted from the overlay data inspected

Figure 12. Corporate headquarter location of those organisations targeted

Concluding Remarks

As reported in the Crimeware In The Modern Era report, crimeware risk is underestimated, enduring, and is a cornerstone in the financially motivated threat actor toolset^[4]. Anomali and our research partner from the financial sector who conducted this analysis, observe that cyber threat actors continue to be relentless and innovative when it comes to how they target and attack the financial industry. Cerberus is another iteration in the diverse Android banking trojan arena, as threats in the mobile space continue to grow year-over-year^[5].

Anomali recommend the following guidelines for all mobile device users:

• Always be wary of unsolicited communications, email or SMS (text), and their attachments and links. Seek to validate the authenticity of the message by contacting the sender or sender organisation via a verified phone number of contact email address.
• Only download applications from trusted sources. The vast majority of malicious applications originate from third-party sources. Official application repositories are not immune from malicious applications, however the risk is somewhat limited as the Apple App Store and Google Play Store undertake verification on the apps they host.
• Stay up-to-date with security patches. Patching is one of the most important steps to securing your technology.
• Employ good physical security hygiene practices with your mobile device; set a strong password or use biometric authentication. Do not leave your device unattended in public. Consider the type and volume of data which is stored on your device.
• If you suspect an application is malicious, you can report these via the official channels here:
  • Apple Support: https://getsupport.apple.com/
  • Google Play Content: https://support.google.com/googleplay/android-developer/contact/takedown

The full Anomali Threat Research analysis of Cerberus can be viewed within Anomali ThreatStream.

• T1432 Access Contact List
• T1517 Access Notifications
• T1417 Input Capture
• T1430 Location Tracking
• T1412 Capture SMS Messages
• T1001 Data Obfuscation
• T1461 Lockscreen Bypass
• T1476 Deliver Malicious App via Other Means
• T1402 App Auto-Start at Device Boot
• T1268 Social Engineering
• T1433 Access Call Log
• T1532 Data Encrypted
• T1523 Evade Analysis Environment
• T1411 Input Prompt
• T1406 Obfuscated Files or Information
• T1418 Application Discovery
• T1426 System Information Discovery

https://attack.mitre.org/matrices/mobile/android/

Endnotes:

^[1] ThreatFabric, “Cerberus - A new banking Trojan from the underworld”, accessed October 31, 2019, published June, 2019, https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html.

^[2] Insights, “The Dark Side of Russia; How New Internet Laws and Nationalism Fuel Russian Cybercrime”, accessed October 31, 2019, published unknown, https://wow.intsights.com/rs/071-ZWD-900/images/DarkSideofRussia.pdf.

^[3] Photon Research Team, “Dark Web Monitoring: The Good, The Bad, and The Ugly”, Digital Shadows, accessed October 31, 2019, published September 11, 2019, https://www.digitalshadows.com/blog-and-research/dark-web-monitoring-the-good-the-bad-and-the-ugly/.

^[4] Brandon Levene, “Crimeware in the Modern Era: A Cost We Cannot Ignore”, accessed November 1, 2019, published September 5, 2019, https://github.com/Blevene/Crimeware-In-The-Modern-Era

^[5] Symantec, “Internet Security Threat Report Volume 23”, accessed October 30, 2019, published, published March 20, 2018, https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf

Appendix A - Indicators of Compromise

Download the Report