Request a Demo
Rewterz
Rewterz Threat Alert –GandCrab Ransomware – Active IOCs
August 22, 2021
Rewterz
Rewterz Threat Advisory – Detection and Prevention of Web Shell Malware
August 22, 2021

Rewterz Threat Alert – Cerberus Banking Trojan – Active IOCs

Severity

High

Analysis Summary

A recent analysis of the Cerberus banking Trojan, performed by Anomali, delves into its current capabilities, including the current malware-as-a-service activity associated with the malware. Cerberus is sold as a malware-as-a-service, likely to fill the gap of black market Android Trojans created when the sale of the Anubis and Red Alert malware ceased. Code analysis led researchers to the conclusion that this family does not share code with other Android banking Trojans and, thus, appears to be newly written. A user named Android is advertising the malware via the XSS.is hacking forum and Twitter. Purchasers of the malware-as-a-service receive access to a control panel for monitoring and control their bots, an APK builder, and an inject generator. Once installed on a victim device, the operators are able to send and intercept SMS messages, open fake login pages, get system information, perform injects, and many other capabilities. One of the most significant capabilities of Cerberus is the SMS functionality as it allows operators to intercept multi-factor authentication codes for accounts using SMS as an additional authentication factor. Overlays used for traditional banking Trojan credential-stealing purposes included those targeting banking, e-commerce, fin-tech, and telecommunication organizations globally.

Impact

  • Credential Theft
  • Financial Loss

Indicators of Compromise

SHA-256

  • bc9f2f9e4b6243b3d2bf9a2683d8553cb30760ed08dfe7bb11f39e76b0642e7b
  • cafb7036670b946ae7b8ba5bdc37df68f60c0f0a371b3a6c0a129eaca1f05a3e
  • cf49cf816453fb5791fc886cea1f8ec28354403987846c3c3b17068dfd619a57
  • ed153c61dc3ef497e543d06595bc9a6d77534ec33fc5381a397a885030101a7e
  • e92bb610d22573f502c8265c982a2cb3c54057ab96d2ef470fbb5cf27d16ccc8
  • 06f476ea954a0adc82991daefb7554abd1a79f5fd029837c7cc600aead39f0f3
  • 4a65d42f435b5b09a2b90470b5cabad3426cdc03b682c9213a65c29216e93f77
  • 20fffa5f155c81ef36e61eb86ef9e31c61c347f71e650a561081016cf61f7769
  • 79c72c3a67d720e90520c6ba49f416a39d4f8efa3a425ad2c614997ce34c89d4
  • 92bda9528a229e08f62d15a55b516d2385947a240711c7b6e69bdce712dae9e1
  • 3101983765b7e64bb5a0a66e5460fbeb43a07ef1898f94372da224f9229931d6
  • 4bb01aa0d64e90f69106ebfd760f57ee5864aed39f3d7f6bcfc9f013032424df

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.