A new, sophisticated malicious campaign has emerged, utilizing an undetected Cerberus Android banking Trojan payload, as reported by cybersecurity provider Cyble.
In a recent publication by Cyble Research and Intelligence Labs (CRIL) on October 14, 15 malicious samples masquerading as Chrome and Play Store apps have been identified from mid-September to the end of October.
These samples employ a multi-stage dropper to deploy a banking trojan payload, which has been found to be leveraging the Cerberus banking Trojan.
Named as the ErrorFather campaign, this ongoing threat has shown increased activity in September and October 2024, hinting at a scaling effort by the threat actor to target specific victims.
The Evolution of Cerberus Banking Trojan and Its Variants
Cerberus made its appearance in underground marketplaces in 2019 as an Android banking trojan. It disguises itself as a legitimate app but operates maliciously to steal login credentials, credit card details, and other personal information.
Researchers at Cyble have highlighted Cerberus’ capability to exploit banking and social media apps through Accessibility service, overlay attacks, and features like VNC and keylogging, establishing it as one of the most recognized banking Trojans.
Following the leakage of Cerberus’ source code in 2020, a new variant known as ‘Alien’ emerged, building on Cerberus’ codebase. In 2021, another banking trojan named ‘ERMAC’ utilized Cerberus code to target over 450 financial and social media apps. In early 2024, the Phoenix Android Banking Trojan, another Cerberus fork, was discovered.
Unraveling the ErrorFather Campaign
The ErrorFather campaign represents the continued repurposing of Cerberus, according to Cyble researchers. Despite some modifications, the malware bases its operations on the original Cerberus code, challenging its classification as entirely new.
ErrorFather employs a complex infection chain involving multiple stages, complicating detection and removal efforts. It utilizes a Telegram bot named ‘ErrorFather’ for communication with the malware and employs keylogging, overlay attacks, VNC, and a domain generation algorithm (DGA) for malicious activities.
The use of DGA, reminiscent of the Alien campaign in 2022, ensures malware resilience with dynamic command and control (C2) server updates, enabling functionality even if primary servers are taken down.
Despite being an older malware strain, the modified Cerberus in ErrorFather has eluded antivirus detection, emphasizing the persistent threat posed by revamped malware from previous leaks. The active C2 server indicates the ongoing nature of the campaign.
Cyble’s Mitigation Recommendations
Cyble offers the following recommendations to mitigate the ErrorFather campaign:
- Download and install software only from official app stores like Google Play Store or the iOS App Store
- Utilize reputable antivirus and internet security software on all connected devices
- Employ strong passwords and enable multi-factor authentication (MFA) whenever possible
- Activate biometric security features like fingerprint or facial recognition on mobile devices
- Ensure Google Play Protect is enabled on Android devices