Cerberus is an Android banking trojan first reported on by ThreatFabric in June 2019 that may have been active since at least 2017. The malware is for sale on a Russian hacking forum called xss[.]is where the actors behind its development are selling licenses for the service from $4000 - $12000. This new malware-as-a-service may have filled the void for actors who require Android malware rental services like Anubis and Red Alert which have ceased to exist. ThreatFabric analysts point out that the malware activates when victims move around, triggering the accelerometer inside the device. Cerberus lies dormant until the pedometer (measuring step count) reaches a certain amount of steps. It also alters the lure depending on the Android package name, capturing banking details or mail credentials. Cerberus does not share code with Anubis or other Android banking trojans and appears to have been newly written.
Anomali Threat Research (ATR) in joint partnership with the Information Security function within a major European Financial Institution, have undertaken analysis on Cerberus in an effort to complement the existing findings which have been presented by others in the community, and to further help defenders in understanding the threat and capability of this Android banking trojan.
Cerberus is being sold in the Russian hacking forum XSS[.]is. The forum was created in 2018 and is the new version of DaMaGeLab[.]org; a previously well known hacking forum run by the founders of Exploit[.]in. A member of the hacking forum XSS[.]is going by the name of Android, has a Premium account and is shown in Figure 1 advertising access to the Cerberus Android bot. The Cerberus malware is named after the Greek, three headed, mythological creature which guards the entrance of the underworld ruled by Hades.
Figure 1. A screenshot of the Cerberus Advertisement post made on June 23rd 2019
The advert shown in Figure 2 is selling licenses for Cerberus from $4000 depending on how long customers wish to have it for. As shown in Figure 2 the cost for each license is as follows:
It is unknown as to how profitable Cerberus has been thus far from a licensing revenue perspective for the authors and the connected cyber criminals.
Figure 2. A screenshot of a forum post detailing the cost of a license for renting Cerberus
The actors behind the Cerberus malware-as-a-service advertise on Twitter to showcase their product. Their twitter account @AndroidCerberus was created in June 2019, the same month they advertised the malware on XSS[.]is. The Twitter account has posts showing the Cerberus Admin panel with test APK infections and an injects list providing examples of potential victims. They have also developed an APK builder and an inject generator for the threat actor’s convenience. The actors Twitter account also states that their starter kits come prepackaged with injections for USA, France, Turkey and Italy. From one of the samples Anomali Threat Research analysed, the injections spanned targets across 16 countries (Figure 17). Figures 3 and 4 show screenshots of the admin panel, and which also show a version number for the bot of: 22.214.171.124.
Figure 3. Screenshot of the Cerberus admin panel
Figure 4. Screenshot of an injects list on offer for Cerberus
The Cerberus Twitter account (@AndroidCerberus) shows that they are claiming to be from Ukraine. In the XSS.is posts and in the groups twitter posts they have communicated several forms of contact information.
Anomali Threat Research undertook an extensive reverse image search of the Twitter profile picture but found nothing of substance to further attribute or pivot.
Figure 5. Screenshot from a Twitter post showing Cerberus APK builder
Figure 6. Screenshot of the Cerberus inject generator which targets the bitcoin wallet and exchange service organisation Coincheck
The Cerberus authors have listed the following as features of their Android information stealing trojan:
Anomali Threat Research undertook analysis and upon decompilation (92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0) the Cerberus APK defined the C2 information within the “settings.xml” file.
Figure 7. Screenshot of “settings.xml” Cerberus sample
The APK calls out to the following domains:
brickgeld24k[.]su resolves to the IP address 161.117.85[.]153 (AS 45102 - Alibaba (China) Technology Co., Ltd.), the domain was registered on the 8th of September 2019. The other C2 domains did not resolve at the time of analysis.
Figure 8. Anomali ThreatStream exploration of the brickgeld24k[.]su indicator
The following (Figure 9) displays captured Cerberus code snippets which were further analysed. The depicted functionality below shows the SMS functionality which would be of high Cerberus operator value for those victims who use SMS as part of their banking multi-factor authentication.
Figure 9. Code snippet of keylogged information being placed into a JSON object
Figure 10. Sample SMS exfiltration
From the samples that were analysed, the overwhelming majority of crafted overlays observed were targeting banking organisations. E-Commerce, FinTech and Telecommunication overlays were also found (Figure 11). These spanned organisations across the globe (Figure 12).
Figure 11. Sectors targeted from the overlay data inspected
Figure 12. Corporate headquarter location of those organisations targeted
As reported in the Crimeware In The Modern Era report, crimeware risk is underestimated, enduring, and is a cornerstone in the financially motivated threat actor toolset. Anomali and our research partner from the financial sector who conducted this analysis, observe that cyber threat actors continue to be relentless and innovative when it comes to how they target and attack the financial industry. Cerberus is another iteration in the diverse Android banking trojan arena, as threats in the mobile space continue to grow year-over-year.
Anomali recommend the following guidelines for all mobile device users:
The full Anomali Threat Research analysis of Cerberus can be viewed within Anomali ThreatStream.
 ThreatFabric, “Cerberus - A new banking Trojan from the underworld”, accessed October 31, 2019, published June, 2019, https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html.
 Insights, “The Dark Side of Russia; How New Internet Laws and Nationalism Fuel Russian Cybercrime”, accessed October 31, 2019, published unknown, https://wow.intsights.com/rs/071-ZWD-900/images/DarkSideofRussia.pdf.
 Photon Research Team, “Dark Web Monitoring: The Good, The Bad, and The Ugly”, Digital Shadows, accessed October 31, 2019, published September 11, 2019, https://www.digitalshadows.com/blog-and-research/dark-web-monitoring-the-good-the-bad-and-the-ugly/.
 Brandon Levene, “Crimeware in the Modern Era: A Cost We Cannot Ignore”, accessed November 1, 2019, published September 5, 2019, https://github.com/Blevene/Crimeware-In-The-Modern-Era
 Symantec, “Internet Security Threat Report Volume 23”, accessed October 30, 2019, published, published March 20, 2018, https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf
|Indicator of Compromise||Description|
|92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0||SHA-256 Hash for Cerberus sample using FlashPlayer|
|728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f||SHA-256 Hash for Cerberus sample|
|92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0||SHA-256 Hash for Cerberus sample|
|ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c||SHA-256 Hash for Cerberus sample|
|e40e0b51870322cc8ca983952500b27ef6c016569c107d8322b5beab09001f9c||SHA-256 Hash for Cerberus sample|
|241db5543e0454e883386fe81dcfd164a4e55ba2e529ec342a19d32a0709a4e6||SHA-256 Hash for Cerberus sample|
|6edbacc114d1fbcb40d0dd2dc3344972f1187f5b892897ac688aafaa61e64597||SHA-256 Hash for Cerberus sample|
|3b1f996f49441fcbcd107eb78b77647f36e9f6a96bc4dff790c3735124b47f8e||SHA-256 Hash for Cerberus sample|
|81019292b1b56452198e1dacbc7092fd79880f7c55890590b5ef419fd1cca9f5||SHA-256 Hash for Cerberus sample|
|638f932f9aa35e5fa1ac13888651e2bc087021c1378624824d9a614913243c4d||SHA-256 Hash for Cerberus sample|
|27b24b79818f606cc3dd03ef56cdac30899fadd08bcd881f03d196297e1e9a2f||SHA-256 Hash for Cerberus sample|
|5f3b61c80c1e0b0a3804e2cf80c1d0874a69057c6d2e1835c6a774cda78902de||SHA-256 Hash for Cerberus sample|
|6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4||SHA-256 Hash for Cerberus sample|
|728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f||SHA-256 Hash for Cerberus sample using FlashPlayer - As pointed out in ThreatFabric report|
|ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c||SHA-256 Hash for Cerberus sample using FlashPlayer - As pointed out in ThreatFabric report|
|6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4||SHA-256 Hash for Cerberus sample using FlashPlayer - As pointed out in ThreatFabric report|
|fe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329||SHA-256 Hash for Cerberus sample using FlashPlayer - As pointed out in ThreatFabric report|
|cfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b||SHA-256 Hash for Cerberus sample using FlashPlayer - As pointed out in ThreatFabric report|
|3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63||SHA-256 Hash for Cerberus sample using FlashPlayer - As pointed out in ThreatFabric report|
|http://brickgeld24k[.]su||C2 for sample 92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0|
|http://brickgeld25sk[.]su||C2 for sample 92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0|
|http://brickgeld001kz[.]su||C2 for sample 92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0|
|http://brickgeld049ik[.]su||C2 for sample 92aa486aee73546da0a5e153036b3ab8fd8a29525eb4a4885f1e9952fc2df0d0|
|@AndroidCerberus||Twitter handle for the suspected Cerberus operators|
|firstname.lastname@example.org||Jabber address for the Cerberus operators|
|email@example.com||Jabber address for the Cerberus operators|
|Androidsupport2@thesecure.biz||Jabber address for the Cerberus operators|