Latest wave of Cerberus targets English-speaking users

Following the recent discoveries shared by @MalwareHunterTeam and @LukasStefanko on Twitter, I took a closer look at the ongoing Cerberus Android banking Trojan campaign. It has recently reared its head to target English-speaking users via a fake food delivery app:

(Figure 1 – The fake website that drops food-delivery.apk)

(Figure 2 – Downloading and granting permissions to the Trojanised application)

If successfully downloaded and permissions are granted, the user’s device is infected with a banking Trojan that shares multiple similarities to the infamous Cerberus Android banking Trojan. Further investigation in this campaign revealed the attacker’s infrastructure through a mutual host, gTLD (.top), and the same registrant details. 

Virus Total Graph of the campaign:

https://www.virustotal.com/graph/embed/g3c4dee2e1e5641479df0a4eee273ce3a68ca97e7608047b59ae735c60533c958

Themes of Trojanised Applications distributed by this Cerberus operator:

Cerberus web injects database:

(Figure 3 – Picture of the Cerberus web injects database for reference)

Analysis:

The Cerberus banking Trojan persists, even though the project reportedly shut down in August 2020. The malware authors stated that the project had come to an end after Google Play Protect blocked the Trojan’s functionality. However, they released the source code for versions 1 and 2, the install scripts, admin panels, and the SQL database structure. This has led to the current situation whereby Cerberus campaigns continue to appear in the wild despite the malware’s original controllers having relinquished control. [source]

Over the last year, Cerberus has typically targeted users in Turkey and Poland. However, these fake applications are written in English, which suggests the operator’s targeting is expanding and shifting to English-speaking countries. Organisations, particularly in finance, must remain vigilant for emerging mobile threats that continue to bypass anti-fraud protection systems and compromise Android mobile devices. All smart phones should be upgraded to the latest version of the OS and unverified apps should not be downloaded from websites or third-party app stores.

Indicators of Compromise (IOCs):

Dropper:

  • food-delivery[.]vip
  • hxxps://food-delivery[.]vip/food-delivery.apk

C&C domains:

  • thedfrtyjgec[.]top
  • truespinzer[.]top
  • creamcrime[.]top
  • creamnails[.]top
  • gulispikers[.]top
  • dsfikj2dsfmolds[.]top
  • coolcalmedice[.]top
  • yearofchill[.]top
  • cosmeticpower[.]top
  • treeanddream[.]top

APKs:

  • Food delivery (battle.jealous.egg) – de3749224879f19a22df2a15501d87eb
  • Food delivery (head.boil.famous) – 08082902af8d1e190ff981eac35a93f5
  • Cash carry (panda.sail.exit) – 3fd26dc2eac86bcae777d7a05d20facc
  • Cash carry (tube.remove.exhibit) – 5de40b831b52853ddfeebda9765ee80d
  • Flash Player (hammer.gap.shiver) – d305cc92efd4709b5c6bd229c6392c3a
  • Flash Player (height.dragon.again) – 848a17ca546bbe9a573760c4307f2a2f