Key Takeaways
- Cyble Analysis and Intelligence Labs (CRIL) recognized a marketing campaign referred to as “ErrorFather” that utilized an undetected Cerberus Android Banking Trojan payload.
- ErrorFather employs a classy an infection chain involving a number of levels (session-based droppers, native libraries, and encrypted payloads), complicating detection and removing efforts.
- The marketing campaign ramped up in exercise in September and October 2024, with extra samples and ongoing campaigns suggesting energetic concentrating on and scaling by the Menace Actors (TAs) behind the ErrorFather marketing campaign.
- The ultimate payload employs keylogging, overlay assaults, VNC, and Area Era Algorithm (DGA) to carry out malicious actions.
- ErrorFather’s incorporation of a Area Era Algorithm (DGA) ensures resilience by enabling dynamic C&C server updates, maintaining the malware operational even when main servers are taken down.
- The marketing campaign highlights how repurposed malware from leaks can proceed to pose vital threats years after its unique look.
Overview
The Cerberus Android Banking Trojan initially emerged in 2019 and was obtainable for hire on underground boards. It gained notoriety for its capability to focus on monetary and social media apps by exploiting the Accessibility service, utilizing overlay assaults, and incorporating VNC and keylogging options. Its widespread attain made it one of the well-known banking trojans on the time.
In 2020, following the leak of Cerberus’ supply code, a brand new variant referred to as “Alien” appeared, leveraging Cerberus’ codebase. Then, in 2021, one other banking trojan referred to as “ERMAC” surfaced, additionally constructing on Cerberus’ code and concentrating on over 450 monetary and social media apps.
At the start of 2024, a brand new menace often known as the Phoenix Android Banking Trojan was found. Claiming to be a recent botnet, Phoenix was discovered being bought on underground boards. Nevertheless, it was recognized as yet one more fork of Cerberus, using its precise supply code, whereas Alien and ERMAC had launched some modifications.
Cyble Analysis and Intelligence Labs (CRIL) not too long ago uncovered a number of malicious samples posing as Chrome and Play Retailer apps. These samples use a multi-stage dropper to deploy a banking trojan payload, which was discovered to be leveraging the Cerberus Banking Trojan.
The recognized pattern “0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7” acts as a first-stage dropper software that drops and installs the final-signed.apk from property, communicates with a Telegram Bot URL, and sends the system mannequin, model, and API model.
The Telegram Bot ID corresponds to the ErrorFather Bot, as proven within the determine beneath. Given the bot’s title and the current updates to this variant (lined within the Technical Evaluation part), we’re referring to this marketing campaign as ErrorFather.
We’ve got recognized roughly 15 samples associated to the ErrorFather marketing campaign, together with session-based droppers and their related payloads. The primary pattern was detected in mid-September 2024, adopted by a noticeable enhance in samples through the first week of October 2024, with an energetic Command and Management (C&C) server suggesting ongoing campaigns.
The next part supplies a technical evaluation of the Cerberus malware utilized by the ErrorFather Marketing campaign.
Technical Particulars
Multi-staged dropper
The first APK is a session-based dropper that incorporates a second-stage APK file named “final-signed.apk” inside the Belongings folder. It makes use of the Google Play Retailer icon and employs a session-based set up approach to put in the APK from the property, bypassing restricted settings.
The second-stage dropper, “final-signed.apk,” has a manifest file that requests harmful permissions and companies, however the code implementation is lacking, indicating that the malware is packed. It features a native file, “libmcfae.so,” which is instantly loaded after set up to decrypt and execute the ultimate payload.
The native file is chargeable for dealing with the ultimate payload. It makes use of the encrypted file “rbyypivsnw.png,” obtains the AES key and initialization vector (IV), performs decryption, and hundreds the “decrypted.dex” file on the location /information/information/suds.expend.affiliate.rising/code_cache/, as illustrated within the determine beneath.
The decrypted.dex file is the ultimate payload, containing malicious functionalities reminiscent of keylogging, overlay assaults, VNC, PII assortment, and using a Area Era Algorithm (DGA) to create a Command and Management (C&C) server. Notably, when submitted to VirusTotal, the decrypted.dex file was not flagged by any antivirus engine.
Leveraging Cerberus code
Based mostly on the detection depend, initially, we suspected it to be a recent banking trojan, however upon deeper evaluation of the ultimate payload, we found vital code similarities with Cerberus. The TA behind the ErrorFather marketing campaign had modified variable names, used extra obfuscation, and reorganized the code, successfully evading detection regardless of Cerberus being recognized in 2019.
Evaluating the Cerberus pattern and the more moderen Phoenix botnet, we observed modifications on this current variant of Cerberus used within the ErrorFather marketing campaign, significantly in its C&C construction. These variations counsel that the recognized pattern is a definite malware variant.
Use of DGA
We noticed the malware retrieving checklist of C&C servers utilizing two strategies. First, after set up and establishing a reference to the primary C&C server, referred to by the TA as “PoisonConnect,” the malware receives a listing of 4 further C&C servers. It then shops these within the “ConnectGates” shared preferences setting, as proven within the determine beneath.
We noticed a slight variation within the C&C communication. Samples from the ErrorFather marketing campaign solely use RC4 encryption to ship a full JSON payload, together with the motion kind. In distinction, earlier Cerberus samples utilized Base64 encoding mixed with RC4, with the motion kind despatched unencrypted through separate parameters. The determine beneath illustrates the C&C communication for each the ErrorFather marketing campaign and the sooner Cerberus samples.
Second, the malware incorporates a DGA (Area Era Algorithm) that makes use of the Istanbul timezone to acquire the present date and time. It then generates MD5 and passes the digest to SHA-1 hash, appending one among 4 extensions: “.click on”, “.com”, “.houses”, and “.internet”. These generated domains are saved in the identical “ConnectGates” setting. The determine beneath demonstrates the DGA used within the ErrorFather marketing campaign.
The determine beneath illustrates the malware connecting to domains generated by a DGA when the first C&C server is unavailable.
In 2022, Alien was noticed equally implementing a DGA course of. Nevertheless, in contrast to the ErrorFather marketing campaign, it didn’t preserve a listing of domains, used solely the “.xyz” extension, and didn’t depend on a selected timezone.
Actions utilized by malware
The TA has renamed the “Actions” to “Varieties,” as proven in Determine 11. These renamed varieties point out the actions carried out by the malware and the anticipated instructions from the C&C server. Upon evaluation, we noticed that the actions carried out by this malware carefully resemble these seen in earlier Cerberus variants, with the first distinction being the renaming of motion identifiers. Under is a complete checklist of actions carried out by the malware.
| Sort of motion | Description |
| checkAppList | Ship the checklist of put in software package deal names |
| getFile | Sends the goal software package deal title to obtain the HTML injection file |
| getResponse | Retrieve the server’s response, and whether it is “okay”, retailer the applying log within the shared preferences file. |
| PrimeService | This motion is used to ship key logs of focused software. |
| getBox | This motion is used to ship SMSs from the contaminated system. |
| fa2prime | Not Applied |
| prContact | Used to ship contacts to the server |
| listAppX | This motion is just like the “checkAppList” perform, the place the malware shops the checklist of put in software package deal names primarily based on a command from the server; in any other case, the checklist stays empty. It’ll then ship the checklist of put in software package deal names utilizing this motion title. |
| slService | Sends Accessibility logs |
| ErrorWatch | Sends error logs utilizing this motion kind |
| device_status | Sends system standing associated to WebSocket connection |
| picture | Sends captured pictures as part of the VNC perform |
| traverse | Sends accessibility node info |
| CheckDomain | This motion is distributed by DGA generated area to validate area |
| RegisterUser | Registers system and receives registration ID, it’s just like bot ID |
| CheckUser | Sends setting info and checks whether or not the consumer is registered or not |
VNC implementation utilizing MediaProjection
Throughout our malware evaluation, we recognized two key phrases associated to VNC: “StatusVNC” and “StatusHVNC.” Whereas HVNC implementation is absent on this marketing campaign, it was beforehand current within the Phoenix botnet, a fork of Cerberus. VNC performance is applied utilizing MediaProjection, together with a WebSocket connection to constantly transmit display screen pictures and obtain VNC actions from the Websocket response to work together with the system.
Overlay Assault
The overlay approach stays unchanged from the sooner Cerberus variant. The malware first sends the put in software package deal names checklist to determine potential targets. As soon as a goal is recognized, the server responds with the package deal names of the goal purposes. The malware then makes use of the “getFile” motion to retrieve the HTML net injection web page, as proven within the determine beneath.
When the sufferer interacts with the goal software, the malware hundreds a faux phishing web page over the reliable app. This methods the sufferer into getting into their login credentials and bank card particulars on the fraudulent banking overlay web page.
The Cerberus malware used within the ErrorFather marketing campaign can perform monetary fraud by means of VNC, keylogging, and overlay assaults.
Conclusion
The Cerberus Android Banking Trojan, first recognized in 2019, turned a outstanding software for monetary fraud utilizing VNC, keylogging, and overlay assaults. Following the leak of its supply code, varied menace actors repurposed the Cerberus code to develop new banking trojans, together with Alien, ERMAC, and Phoenix. The ErrorFather marketing campaign is one other instance of this sample. Whereas the TA behind ErrorFather has barely modified the malware, it stays based totally on the unique Cerberus code, making it inappropriate to categorise it as solely new malware.
Within the ErrorFather marketing campaign, the malware makes use of a multi-stage dropper to deploy its payload and leverages methods reminiscent of VNC, keylogging, and HTML injection for fraudulent functions. Notably, the marketing campaign makes use of a Telegram bot named “ErrorFather” to speak with the malware. Regardless of being an older malware pressure, the modified Cerberus used on this marketing campaign has efficiently evaded detection by antivirus engines, additional highlighting the continuing dangers posed by retooled malware from earlier leaks.
The ErrorFather marketing campaign exemplifies how cybercriminals proceed to repurpose and exploit leaked malware supply code, underscoring the persistent menace of Cerberus-based assaults even years after the unique malware’s discovery.
Our Suggestions
We’ve got listed some important cybersecurity greatest practices that create the primary line of management towards attackers. We advocate that our readers observe the perfect practices given beneath:
- Obtain and set up software program solely from official app shops like Google Play Retailer or the iOS App Retailer.
- Use a reputed anti-virus and web safety software program package deal in your related units, reminiscent of PCs, laptops, and cell units.
- Use sturdy passwords and implement multi-factor authentication wherever doable.
- Allow biometric security measures reminiscent of fingerprint or facial recognition for unlocking the cell system the place doable.
- Be cautious of opening any hyperlinks obtained through SMS or emails delivered to your telephone.
- Be certain that Google Play Shield is enabled on Android units.
- Watch out whereas enabling any permissions.
- Preserve your units, working techniques, and purposes up to date.
MITRE ATT&CK® Strategies
| Tactic | Approach ID | Process |
| Preliminary Entry (TA0027) | Phishing (T1660) | Malware distributing through phishing website |
| Execution (TA0041) | Native API (T1575) | Malware utilizing native code to drop ultimate payload |
| Protection Evasion (TA0030) | Masquerading: Match Authentic Identify or Location (T1655.001) | Malware pretending to be the Google Play Replace and Chrome software |
| Protection Evasion (TA0030) | Utility Discovery (T1418) | Collects put in software package deal title checklist to determine goal |
| Protection Evasion (TA0030) | Indicator Elimination on Host: Uninstall Malicious Utility (T1630.001) | Malware can uninstall itself |
| Protection Evasion (TA0030) | Enter Injection (T1516) | Malware can mimic consumer interplay, carry out clicks and varied gestures, and enter information |
| Assortment (TA0035) | Enter Seize: Keylogging (T1417.001) | Malware can seize keystrokes |
| Discovery (TA0032) | Software program Discovery (T1418) | Malware collects put in software package deal checklist |
| Discovery (TA0032) | System Info Discovery (T1426) | The malware collects primary system info. |
| Assortment (TA0035) | Display Seize (T1513) | Malware can file display screen content material |
| Assortment (TA0035) | Audio Seize (T1429) | Malware captures Audio recordings |
| Assortment (TA0035) | Name Management (T1616) | Malware could make calls |
| Assortment (TA0035) | Protected Person Information: Contact Checklist (T1636.003) | Malware steals contacts |
| Assortment (TA0035) | Protected Person Information: SMS Messages (T1636.004) |
Steals SMSs from the contaminated system |
| Command and Management (TA0037) | Dynamic Decision: Area Era Algorithms (T1637.001) | Malware has applied DGA |
| Command and Management (TA0037) | Encrypted Channel: Symmetric Cryptography (T1521.001) | Malware makes use of RC4 for encrypting C&C communication |
| Exfiltration (TA0036) | Exfiltration Over C2 Channel (T1646) | Sending exfiltrated information over C&C server |
Indicators of Compromise (IOCs)
| Indicators | Indicator Sort | Description |
| 0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7 9373860987c13cff160251366d2c6eb5cbb3867e 0544cc3bcd124e6e3f5200416d073b77 | SHA256 SHA1 MD5 | Session-based dropper |
| 880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc cb6f9bcd4b491858583ee9f10b72c0582bf94ab1 d9763c68ebbfaeef4334cfefc54b322f | SHA256 SHA1 MD5 | Second-stage dropper |
| 6c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359 c7ebf2adfd6482e1eb2c3b05f79cdff5c733c47b f9d5b402acee67675f87d33d7d52b364 | SHA256 SHA1 MD5 | Remaining undetected Cerberus payload |
| hxxp://cmsspain[.homes hxxp://consulting-service-andro[.ru hxxp://cmscrocospain[.shop hxxp://cmsspain[.lol hxxp://cmsspain[.shop | URL | C&C server |
| hxxp://elstersecure-plus[.online hxxps://secure-plus[.online/ElsterSecure[.apk | URL | Distribution and phishing URL |
| hxxps://api[.telegram[.org/bot7779906180:AAE3uTyuoDX0YpV1DBJyz5zgwvvVg-up4xo/sendMessage?chat_id=5915822121&text= | URL | Telegram bot URL |
| 4c7f90d103b54ba78b85f92d967ef4cdcc0102d3756e1400383e774d2f27bb2e 8f3e3a2a63110674ea63fb6abe4a1889fc516dd6851e8c47298c7987e67ff9b6 c570e075f9676e79a1c43e9879945f4fe0f54ef5c78a5289fe72ce3ef6232a14 a2c701fcea4ed167fdb3131d292124eb55389bc746fcef8ca2c8642ba925895c 8faa93be87bb327e760420b2faa33f0f972899a47c80dc2bc07b260c18dfcb14 ee87b4c50e5573cba366efaa01b8719902b8bed8277f1903e764f9b4334778d0 136d00629e8cd59a6be639b0eaef925fd8cd68cbcbdb71a3a407836c560b8579 6c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359 516282073b7d81c630d4c5955d396e1e47a2f476f03dea7308461fa62f465c11 5bd21d0007d34f67faeb71081309e25903f15f237c1f7b094634584ca9dd873e 880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc 0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7 6b8911dfdf1961de9dd2c3f9b141a6c5b1029311c66e9ded9bca4d21635c0c49 befe69191247abf80c5a725e1f1024f7195fa85a7af759db2546941711f6e6ae 9d966baefa96213861756fde502569d7bba9c755d13e586e7aaca3d0949cbdc3 | SHA256 | Malicious First and second-stage files from the ErrorFather campaign |
Related
