cyble.com
Open in
urlscan Pro
192.0.78.231
Public Scan
URL:
https://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/
Submission: On October 28 via api from IN — Scanned from DE
Submission: On October 28 via api from IN — Scanned from DE
Form analysis 4 forms found in the DOM
POST https://wordpress.com/email-subscriptions
<form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="221651828" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog" data-hs-cf-bound="true" data-cb-wrapper="true">
<div class="wp-block-jetpack-subscriptions__form-elements">
<p id="subscribe-email">
<label id="subscribe-field-label" for="subscribe-field" class="screen-reader-text"> Type your email… </label>
<input required="required" type="email" name="email" class="no-border-radius has-ast-global-color-6-border-color" style="font-size: 16px;padding: 10px 15px 10px 15px;border-color: ast-global-color-6;border-radius: 0px;border-width: 1px;"
placeholder="Type your email…" value="" id="subscribe-field" title="Please fill in this field.">
</p>
<p id="subscribe-submit" style="width: ;max-width: 100%;">
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="221651828">
<input type="hidden" name="source" value="https://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/">
<input type="hidden" name="sub-type" value="subscribe-block">
<input type="hidden" name="app_source" value="">
<input type="hidden" name="redirect_fragment" value="subscribe-blog">
<input type="hidden" name="lang" value="en_US">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="fd6c6ef061"><input type="hidden" name="_wp_http_referer" value="/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/"><input type="hidden" name="post_id"
value="67101"> <button type="submit" class="wp-block-button__link no-border-radius has-ast-global-color-6-border-color"
style="background: #cc0000;width: 100%;font-size: 16px;padding: 10px 15px 10px 15px;margin: 0; margin-left: 10px;border-color: ast-global-color-6;border-radius: 0px;border-width: 1px;" name="jetpack_subscriptions_widget"> Subscribe Now <span
class="jetpack-memberships-spinner"> <svg width="24" height="24" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path d="M12,1A11,11,0,1,0,23,12,11,11,0,0,0,12,1Zm0,19a8,8,0,1,1,8-8A8,8,0,0,1,12,20Z" opacity=".25" fill="currentColor"></path>
<path d="M10.14,1.16a11,11,0,0,0-9,8.92A1.59,1.59,0,0,0,2.46,12,1.52,1.52,0,0,0,4.11,10.7a8,8,0,0,1,6.66-6.61A1.42,1.42,0,0,0,12,2.69h0A1.57,1.57,0,0,0,10.14,1.16Z" class="jetpack-memberships-spinner-rotating" fill="currentColor"></path>
</svg></span></button>
</p>
</div>
</form>GET https://cyble.com/
<form class="search-form" action="https://cyble.com/" method="get" data-hs-cf-bound="true" data-cb-wrapper="true">
<fieldset>
<span class="text">
<label for="search-field" class="screen-reader-text">Begin Search...</label>
<input id="search-field" name="s" class="search-field" autocomplete="off" type="text" value="" placeholder="Begin Search..." tabindex="1">
</span>
<button aria-label="Search" id="search_submit" class="button search-submit" tabindex="2"><i class="astra-search-icon"> <span class="ast-icon icon-search"></span> </i></button>
</fieldset>
</form>POST https://wordpress.com/email-subscriptions
<form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="221651828" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog-2" data-hs-cf-bound="true" data-cb-wrapper="true">
<div class="wp-block-jetpack-subscriptions__form-elements">
<p id="subscribe-email">
<label id="subscribe-field-2-label" for="subscribe-field-2" class="screen-reader-text"> Type your email… </label>
<input required="required" type="email" name="email" style="font-size: 16px;padding: 15px 23px 15px 23px;border-radius: 50px;border-width: 1px;" placeholder="Type your email…" value="" id="subscribe-field-2" title="Please fill in this field.">
</p>
<p id="subscribe-submit">
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="221651828">
<input type="hidden" name="source" value="https://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/">
<input type="hidden" name="sub-type" value="subscribe-block">
<input type="hidden" name="app_source" value="atomic-subscription-modal-lo">
<input type="hidden" name="redirect_fragment" value="subscribe-blog-2">
<input type="hidden" name="lang" value="en_US">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="fd6c6ef061"><input type="hidden" name="_wp_http_referer" value="/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/"><input type="hidden" name="post_id"
value="67101"> <button type="submit" class="wp-block-button__link" style="font-size: 16px;padding: 15px 23px 15px 23px;margin: 0; margin-left: 10px;border-radius: 50px;border-width: 1px;" name="jetpack_subscriptions_widget"> Subscribe <span
class="jetpack-memberships-spinner"> <svg width="24" height="24" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path d="M12,1A11,11,0,1,0,23,12,11,11,0,0,0,12,1Zm0,19a8,8,0,1,1,8-8A8,8,0,0,1,12,20Z" opacity=".25" fill="currentColor"></path>
<path d="M10.14,1.16a11,11,0,0,0-9,8.92A1.59,1.59,0,0,0,2.46,12,1.52,1.52,0,0,0,4.11,10.7a8,8,0,0,1,6.66-6.61A1.42,1.42,0,0,0,12,2.69h0A1.57,1.57,0,0,0,10.14,1.16Z" class="jetpack-memberships-spinner-rotating" fill="currentColor"></path>
</svg></span></button>
</p>
</div>
</form><form id="jp-carousel-comment-form" data-hs-cf-bound="true" data-cb-wrapper="true">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
* HeptaX: Unauthorized RDP Connections for Cyberespionage Operations
Switch to Cyble
Report an Incident
Talk to Sales
We are Hiring!
Login
Login
* ProductsMenu Toggle
* For Enterprises(B2B) and GovernmentsMenu Toggle
* AI-Driven Cybersecurity Platforms
* Cyble VisionFor Enterprises
Award-winning cyber threat intelligence platform, designed to provide
enhanced security through real-time intelligence and threat detection.
* Cyble HawkFor Federal Bodies
Protects sensitive information and assets from cyber threats with its
specialized threat detection and intelligence capabilities built for
federal bodies.
* For Enterprises(B2B) and Individuals(B2C)Menu Toggle
* AmIBreached
Enables consumers and organizations to Identify, Prioritize and Mitigate
darkweb risks.
* Odin by CybleNew
The most advanced internet-scanning tool in the industry for real-time
threat detection and cybersecurity
* The Cyber ExpressSubscribe
#1 Trending Cyber Security News and Magazine
* We’ve just released an update!
Cyble has an update that enhances ASM, CTI and more...
Menu Toggle
* Schedule a Demo
* SolutionsMenu Toggle
* Detect > Validate > CloseMenu Toggle
* AI-Driven SolutionsPowered by AIMenu Toggle
* Attack Surface Management
Ensure digital security by identifying and mitigating threats with
Cyble's Attack Surface Management
* Brand Intelligence
Comprehensive protection against online brand abuse, including brand
impersonation, phishing, and fraudulent domains.
* Cyber Threat Intelligence
Gain insights and enhance your defense with AI-driven analysis and
continuous threat monitoring
* Dark Web Monitoring
Stay vigilant and ahead of cybercriminals with Cyble's comprehensive
Dark Web Monitoring.
* Vulnerability Management
Advanced scanning, risk evaluation, and efficient remediation
strategies to protect against cyber threats.
* Menu ItemMenu Toggle
* Takedown and Disruption
Combat online fraud and cybercrime by removing fraudulent sites and
content, and disrupting malicious campaigns with #1 takedown services by
Cyble.
* Third Party Risk Management
Identify, assess, and mitigate risks arising from interactions with third
parties. TPRM ensures that your business remains secure while
collaborating with external entities.
* Digital Forensics & Incident Response
At Cyble, we provide comprehensive Digital Forensics and Incident
Response (DFIR) services to help businesses effectively manage, mitigate,
and recover from cybersecurity incidents.
* Physical Security Intelligence
Monitor and manage multiple locations from a single platform with
real-time alerts and AI-driven insights. Detect physical threats like
civil unrest and natural disasters proactively. Stay secure with tailored
notifications and seamless response options.
* Solutions by Industry
Menu Toggle
* Healthcare & Pharmaceuticals
* Financial Services
* Retail and CPG
* Technology Industry
* Educational Platform
* Solutions by Role
Menu Toggle
* Information Security
* Corporate Security
* Marketing
* Why Cyble?Menu Toggle
* Compare CybleMenu Toggle
* Industry RecognitionAwards
* Customer Stories
* ResourcesMenu Toggle
* Thought LeadershipMenu Toggle
* Blog
Discover the latest in cybersecurity with Cyble's blog, featuring a
wealth of articles, research findings, and insights. CRIL is an
invaluable resource for anyone interested in the evolving world of cyber
threats and defenses, offering expert analysis and updates.
* Threat Actor Profiles
* SAMA Compliance
* Events
Conferences, Webinars, Training sessions and more…
* Data Sheets
* Knowledge Hub
Cyble's Knowledge Hub is a central resource for current cybersecurity
trends, research, and expert opinions.
Menu Toggle
* Case Studies
Dive into Cyble's case studies to discover real-world applications of
their cybersecurity solutions. These studies provide valuable insights
into how Cyble addresses various cyber threats and enhances digital
security for different organizations.
* Research Reports
* Country Reports
* Industry Reports
* Ransomware Reports
* WhitepapersDownload
* Research ReportsLatest Report
Menu Toggle
* Free Tools
* Scan The Dark Web
* Scan The Internet
Menu Toggle
* External Threat Assessment ReportDownload Report
* CompanyMenu Toggle
* Our Story
Learn about Cyble's journey and mission in the cybersecurity landscape.
Menu Toggle
* Leadership Team
Meet our leadership team.
* CareersWe are hiring!
Explore a career with Cyble and contribute to cutting-edge cybersecurity
solutions. Check out Cyble's career opportunities.
* Press
* PartnersMenu Toggle
* Cyble Partner Network (CPN)Join Us
Join Cyble's Partner Network to collaborate and innovate in cybersecurity.
This platform offers unique opportunities for partnerships, fostering
growth and shared success in tackling cyber threats together.
Menu Toggle
* Partner Login
* Become a PartnerRegister
Elevate your cybersecurity business with the Cyble Partner Network:
Access cutting-edge tools, expert support, and growth opportunities.
Ideal for MSSPs, resellers, and alliances.
Free Trial
Free Trial
Main Menu
* ProductsMenu Toggle
* For Enterprises(B2B) and GovernmentsMenu Toggle
* AI-Driven Cybersecurity Platforms
* Cyble VisionFor Enterprises
Award-winning cyber threat intelligence platform, designed to provide
enhanced security through real-time intelligence and threat detection.
* Cyble HawkFor Federal Bodies
Protects sensitive information and assets from cyber threats with its
specialized threat detection and intelligence capabilities built for
federal bodies.
* For Enterprises(B2B) and Individuals(B2C)Menu Toggle
* AmIBreached
Enables consumers and organizations to Identify, Prioritize and Mitigate
darkweb risks.
* Odin by CybleNew
The most advanced internet-scanning tool in the industry for real-time
threat detection and cybersecurity
* The Cyber ExpressSubscribe
#1 Trending Cyber Security News and Magazine
* We’ve just released an update!
Cyble has an update that enhances ASM, CTI and more...
Menu Toggle
* Schedule a Demo
* SolutionsMenu Toggle
* Detect > Validate > CloseMenu Toggle
* AI-Driven SolutionsPowered by AIMenu Toggle
* Attack Surface Management
Ensure digital security by identifying and mitigating threats with
Cyble's Attack Surface Management
* Brand Intelligence
Comprehensive protection against online brand abuse, including brand
impersonation, phishing, and fraudulent domains.
* Cyber Threat Intelligence
Gain insights and enhance your defense with AI-driven analysis and
continuous threat monitoring
* Dark Web Monitoring
Stay vigilant and ahead of cybercriminals with Cyble's comprehensive
Dark Web Monitoring.
* Vulnerability Management
Advanced scanning, risk evaluation, and efficient remediation
strategies to protect against cyber threats.
* Menu ItemMenu Toggle
* Takedown and Disruption
Combat online fraud and cybercrime by removing fraudulent sites and
content, and disrupting malicious campaigns with #1 takedown services by
Cyble.
* Third Party Risk Management
Identify, assess, and mitigate risks arising from interactions with third
parties. TPRM ensures that your business remains secure while
collaborating with external entities.
* Digital Forensics & Incident Response
At Cyble, we provide comprehensive Digital Forensics and Incident
Response (DFIR) services to help businesses effectively manage, mitigate,
and recover from cybersecurity incidents.
* Physical Security Intelligence
Monitor and manage multiple locations from a single platform with
real-time alerts and AI-driven insights. Detect physical threats like
civil unrest and natural disasters proactively. Stay secure with tailored
notifications and seamless response options.
* Solutions by Industry
Menu Toggle
* Healthcare & Pharmaceuticals
* Financial Services
* Retail and CPG
* Technology Industry
* Educational Platform
* Solutions by Role
Menu Toggle
* Information Security
* Corporate Security
* Marketing
* Why Cyble?Menu Toggle
* Compare CybleMenu Toggle
* Industry RecognitionAwards
* Customer Stories
* ResourcesMenu Toggle
* Thought LeadershipMenu Toggle
* Blog
Discover the latest in cybersecurity with Cyble's blog, featuring a
wealth of articles, research findings, and insights. CRIL is an
invaluable resource for anyone interested in the evolving world of cyber
threats and defenses, offering expert analysis and updates.
* Threat Actor Profiles
* SAMA Compliance
* Events
Conferences, Webinars, Training sessions and more…
* Data Sheets
* Knowledge Hub
Cyble's Knowledge Hub is a central resource for current cybersecurity
trends, research, and expert opinions.
Menu Toggle
* Case Studies
Dive into Cyble's case studies to discover real-world applications of
their cybersecurity solutions. These studies provide valuable insights
into how Cyble addresses various cyber threats and enhances digital
security for different organizations.
* Research Reports
* Country Reports
* Industry Reports
* Ransomware Reports
* WhitepapersDownload
* Research ReportsLatest Report
Menu Toggle
* Free Tools
* Scan The Dark Web
* Scan The Internet
Menu Toggle
* External Threat Assessment ReportDownload Report
* CompanyMenu Toggle
* Our Story
Learn about Cyble's journey and mission in the cybersecurity landscape.
Menu Toggle
* Leadership Team
Meet our leadership team.
* CareersWe are hiring!
Explore a career with Cyble and contribute to cutting-edge cybersecurity
solutions. Check out Cyble's career opportunities.
* Press
* PartnersMenu Toggle
* Cyble Partner Network (CPN)Join Us
Join Cyble's Partner Network to collaborate and innovate in cybersecurity.
This platform offers unique opportunities for partnerships, fostering
growth and shared success in tackling cyber threats together.
Menu Toggle
* Partner Login
* Become a PartnerRegister
Elevate your cybersecurity business with the Cyble Partner Network:
Access cutting-edge tools, expert support, and growth opportunities.
Ideal for MSSPs, resellers, and alliances.
TRENDING
TARGETED INDUSTRIES -> IT & ITES | Government & LEA | Technology | Healthcare |
BFSITARGETED COUNTRIES -> United States | Russian Federation | China | United
Kingdom | GermanyTARGETED REGIONS -> North America (NA) | Europe & UK | Asia &
Pacific (APAC) | Middle East & Africa (MEA) | Australia and New Zealand
(ANZ)IOCs -> a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 |
7bdbd180c081fa63ca94f9c22c457376 |
c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 |
8c69830a50fb85d8a794fa46643493b2 | bbcf7a68f4164a9f5f5cb2d9f30d9790CVEs ->
CVE-2024-21887 | CVE-2023-46805 | CVE-2017-11882 | CVE-2024-21893 |
CVE-2021-44228TECHNIQUES -> T1082 | T1140 | T1486 | T1083 | T1105TACTICS ->
TA505 | TA0011 | TA0001 | TA0002 | TA0005TAGS -> security | the-cyber-express |
firewall-daily | the-cyber-express-news | malwareTHREAT ACTORS -> Lockbit |
Blackcat | Lazarus | VoltTyphoon | KimsukyMALWARE -> CobaltStrike | Qakbot |
Icedid | Trickbot | XmrigSOURCES -> Darkreading | The Cyber Express |
Bleepingcomputer | The Hacker News | Infosecurity Magazine
Home » Blog » Hidden in Plain Sight: ErrorFather’s Deadly Deployment of Cerberus
* Trojan
* October 14, 2024
HIDDEN IN PLAIN SIGHT: ERRORFATHER’S DEADLY DEPLOYMENT OF CERBERUS
Cyble Uncovers ErrorFather Campaign Utilizing Undetected Cerberus Android Trojan
Payload to Target Android Users.
KEY TAKEAWAYS
* Cyble Research and Intelligence Labs (CRIL) identified a campaign called
“ErrorFather” that utilized an undetected Cerberus Android Banking Trojan
payload.
* ErrorFather employs a sophisticated infection chain involving multiple stages
(session-based droppers, native libraries, and encrypted payloads),
complicating detection and removal efforts.
* The campaign ramped up in activity in September and October 2024, with more
samples and ongoing campaigns suggesting active targeting and scaling by the
Threat Actors (TAs) behind the ErrorFather campaign.
* The final payload employs keylogging, overlay attacks, VNC, and Domain
Generation Algorithm (DGA) to perform malicious activities.
* ErrorFather’s incorporation of a Domain Generation Algorithm (DGA) ensures
resilience by enabling dynamic C&C server updates, keeping the malware
operational even if primary servers are taken down.
* The campaign highlights how repurposed malware from leaks can continue to
pose significant threats years after its original appearance.
OVERVIEW
The Cerberus Android Banking Trojan initially emerged in 2019 and was available
for rent on underground forums. It gained notoriety for its ability to target
financial and social media apps by exploiting the Accessibility service, using
overlay attacks, and incorporating VNC and keylogging features. Its widespread
reach made it one of the most well-known banking trojans at the time.
In 2020, following the leak of Cerberus’ source code, a new variant called
“Alien” appeared, leveraging Cerberus’ codebase. Then, in 2021, another banking
trojan called “ERMAC” surfaced, also building on Cerberus’ code and targeting
over 450 financial and social media apps.
At the beginning of 2024, a new threat known as the Phoenix Android Banking
Trojan was discovered. Claiming to be a fresh botnet, Phoenix was found being
sold on underground forums. However, it was identified as yet another fork of
Cerberus, utilizing its exact source code, whereas Alien and ERMAC had
introduced some modifications.
Cyble Research and Intelligence Labs (CRIL) recently uncovered several malicious
samples posing as Chrome and Play Store apps. These samples use a multi-stage
dropper to deploy a banking trojan payload, which was found to be leveraging the
Cerberus Banking Trojan.
The identified sample
“0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7” acts as a
first-stage dropper application that drops and installs the final-signed.apk
from assets, communicates with a Telegram Bot URL, and sends the device model,
brand, and API version.
Figure 1 – First-stage malware connecting to Telegram Bot URL
The Telegram Bot ID corresponds to the ErrorFather Bot, as shown in the figure
below. Given the bot’s name and the recent updates to this variant (covered in
the Technical Analysis section), we are referring to this campaign as
ErrorFather.
Your browser does not support the video tag.
Figure 2 – ErrorFather Telegram bot
We have identified approximately 15 samples related to the ErrorFather campaign,
including session-based droppers and their associated payloads. The first sample
was detected in mid-September 2024, followed by a noticeable increase in samples
during the first week of October 2024, with an active Command and Control (C&C)
server suggesting ongoing campaigns.
Figure 3 – Samples related to the ErrorFather campaign
The following section provides a technical analysis of the Cerberus malware used
by the ErrorFather Campaign.
TECHNICAL DETAILS
MULTI-STAGED DROPPER
The primary APK is a session-based dropper that contains a second-stage APK file
named “final-signed.apk” within the Assets folder. It uses the Google Play Store
icon and employs a session-based installation technique to install the APK from
the assets, bypassing restricted settings.
Figure 4 – Session-based dropper
The second-stage dropper, “final-signed.apk,” has a manifest file that requests
dangerous permissions and services, but the code implementation is missing,
indicating that the malware is packed. It includes a native file, “libmcfae.so,”
which is immediately loaded after installation to decrypt and execute the final
payload.
Figure 5 – Second-stage dropper loading native file
The native file is responsible for handling the final payload. It uses the
encrypted file “rbyypivsnw.png,” obtains the AES key and initialization vector
(IV), performs decryption, and loads the “decrypted.dex” file at the location
/data/data/suds.expend.affiliate.rising/code_cache/, as illustrated in the
figure below.
Figure 6 – Third-stage dropper loading final payload
The decrypted.dex file is the final payload, containing malicious
functionalities such as keylogging, overlay attacks, VNC, PII collection, and
the use of a Domain Generation Algorithm (DGA) to create a Command and Control
(C&C) server. Notably, when submitted to VirusTotal, the decrypted.dex file was
not flagged by any antivirus engine.
Figure 7 – Zero detection
LEVERAGING CERBERUS CODE
Based on the detection count, initially, we suspected it to be a fresh banking
trojan, but upon deeper analysis of the final payload, we discovered significant
code similarities with Cerberus. The TA behind the ErrorFather campaign had
modified variable names, used more obfuscation, and reorganized the code,
effectively evading detection despite Cerberus being identified in 2019.
Figure 8 – ErrorFather’s shared preference settings containing common keys and
following a similar structure as Cerberus
Comparing the Cerberus sample and the more recent Phoenix botnet, we noticed
changes in this recent variant of Cerberus used in the ErrorFather campaign,
particularly in its C&C structure. These differences suggest that the identified
sample is a distinct malware variant.
USE OF DGA
We observed the malware retrieving list of C&C servers using two methods. First,
after installation and establishing a connection with the main C&C server,
referred to by the TA as “PoisonConnect,” the malware receives a list of four
additional C&C servers. It then stores these in the “ConnectGates” shared
preferences setting, as shown in the figure below.
Figure 9 – Malware receiving C&C server list Figure 10 – Received list of C&C
server saved to Shared Preference
We observed a slight variation in the C&C communication. Samples from the
ErrorFather campaign solely use RC4 encryption to send a full JSON payload,
including the action type. In contrast, earlier Cerberus samples utilized Base64
encoding combined with RC4, with the action type sent unencrypted via separate
parameters. The figure below illustrates the C&C communication for both the
ErrorFather campaign and the earlier Cerberus samples.
Figure 11 – C&C communication of ErrorFather (left) and earlier Cerberus samples
(Right)
Second, the malware incorporates a DGA (Domain Generation Algorithm) that
utilizes the Istanbul timezone to obtain the current date and time. It then
generates MD5 and passes the digest to SHA-1 hash, appending one of four
extensions: “.click”, “.com”, “.homes”, and “.net”. These generated domains are
stored in the same “ConnectGates” setting. The figure below demonstrates the DGA
used in the ErrorFather campaign.
Figure 12 – DGA used in the ErrorFather campaign Figure 13 – DGA code
The figure below illustrates the malware connecting to domains generated by a
DGA when the primary C&C server is unavailable.
Figure 14 – Malware connecting to the domains generated by DGA
In 2022, Alien was observed similarly implementing a DGA process. However,
unlike the ErrorFather campaign, it did not maintain a list of domains, used
only the “.xyz” extension, and did not rely on a specific timezone.
ACTIONS USED BY MALWARE
The TA has renamed the “Actions” to “Types,” as shown in Figure 11. These
renamed types indicate the actions performed by the malware and the expected
commands from the C&C server. Upon analysis, we observed that the actions
carried out by this malware closely resemble those seen in earlier Cerberus
variants, with the primary difference being the renaming of action identifiers.
Below is a comprehensive list of actions performed by the malware.
Type of actionDescriptioncheckAppListSend the list of installed application
package namesgetFileSends the target application package name to receive
the HTML injection filegetResponseRetrieve the server’s response, and if it is
“ok”, store the application log in the shared preferences file.PrimeServiceThis
action is used to send key logs of targeted application.getBoxThis action is
used to send SMSs from the infected device.fa2primeNot ImplementedprContactUsed
to send contacts to the serverlistAppXThis action is similar to the
“checkAppList” function, where the malware stores the list of installed
application package names based on a command from the server; otherwise, the
list remains empty. It will then send the list of installed application package
names using this action name.slServiceSends Accessibility logsErrorWatchSends
error logs using this action typedevice_statusSends device status related to
WebSocket connectionimageSends captured images as a part of the VNC
functiontraverseSends accessibility node informationCheckDomainThis action is
sent by DGA generated domain to validate domainRegisterUserRegisters device and
receives registration ID, it is similar to bot IDCheckUserSends setting
information and checks whether the user is registered or not
VNC IMPLEMENTATION USING MEDIAPROJECTION
During our malware analysis, we identified two keywords related to VNC:
“StatusVNC” and “StatusHVNC.” While HVNC implementation is absent in this
campaign, it was previously present in the Phoenix botnet, a fork of Cerberus.
VNC functionality is implemented using MediaProjection, along with a WebSocket
connection to continuously transmit screen images and receive VNC actions from
the Websocket response to interact with the device.
Figure 15 – The VNC WebSocket connection is used to receive commands that
trigger actions on the infected device
OVERLAY ATTACK
The overlay technique remains unchanged from the earlier Cerberus variant. The
malware first sends the installed application package names list to identify
potential targets. Once a target is identified, the server responds with the
package names of the target applications. The malware then uses the “getFile”
action to retrieve the HTML web injection page, as shown in the figure below.
Figure 16 – Malware sends installed application package names and receives
target application Figure 17 – Receives HTML injection file
When the victim interacts with the target application, the malware loads a fake
phishing page over the legitimate app. This tricks the victim into entering
their login credentials and credit card details on the fraudulent banking
overlay page.
Figure 18 – HTML injection page for BBVA bank
The Cerberus malware used in the ErrorFather campaign can carry out financial
fraud through VNC, keylogging, and overlay attacks.
CONCLUSION
The Cerberus Android Banking Trojan, first identified in 2019, became a
prominent tool for financial fraud using VNC, keylogging, and overlay attacks.
Following the leak of its source code, various threat actors repurposed the
Cerberus code to develop new banking trojans, including Alien, ERMAC, and
Phoenix. The ErrorFather campaign is another example of this pattern. While the
TA behind ErrorFather has slightly modified the malware, it remains primarily
based on the original Cerberus code, making it inappropriate to classify it as
entirely new malware.
In the ErrorFather campaign, the malware uses a multi-stage dropper to deploy
its payload and leverages techniques such as VNC, keylogging, and HTML injection
for fraudulent purposes. Notably, the campaign utilizes a Telegram bot named
“ErrorFather” to communicate with the malware. Despite being an older malware
strain, the modified Cerberus used in this campaign has successfully evaded
detection by antivirus engines, further highlighting the ongoing risks posed by
retooled malware from previous leaks.
The ErrorFather campaign exemplifies how cybercriminals continue to repurpose
and exploit leaked malware source code, underscoring the persistent threat of
Cerberus-based attacks even years after the original malware’s discovery.
OUR RECOMMENDATIONS
We have listed some essential cybersecurity best practices that create the first
line of control against attackers. We recommend that our readers follow the best
practices given below:
* Download and install software only from official app stores like Google Play
Store or the iOS App Store.
* Use a reputed anti-virus and internet security software package on your
connected devices, such as PCs, laptops, and mobile devices.
* Use strong passwords and enforce multi-factor authentication wherever
possible.
* Enable biometric security features such as fingerprint or facial recognition
for unlocking the mobile device where possible.
* Be wary of opening any links received via SMS or emails delivered to your
phone.
* Ensure that Google Play Protect is enabled on Android devices.
* Be careful while enabling any permissions.
* Keep your devices, operating systems, and applications updated.
MITRE ATT&CK® TECHNIQUES
TacticTechnique IDProcedureInitial Access (TA0027)Phishing (T1660)Malware
distributing via phishing siteExecution (TA0041)Native API (T1575)Malware using
native code to drop final payloadDefense Evasion (TA0030)Masquerading: Match
Legitimate Name or Location (T1655.001)Malware pretending to be the Google Play
Update and Chrome applicationDefense Evasion (TA0030)Application Discovery
(T1418)Collects installed application package name list to identify
targetDefense Evasion (TA0030)Indicator Removal on Host: Uninstall Malicious
Application (T1630.001) Malware can uninstall itselfDefense Evasion
(TA0030)Input Injection (T1516)Malware can mimic user interaction, perform
clicks and various gestures, and input dataCollection (TA0035)Input Capture:
Keylogging (T1417.001)Malware can capture keystrokesDiscovery (TA0032)Software
Discovery (T1418)Malware collects installed application package listDiscovery
(TA0032)System Information Discovery (T1426)The malware collects basic device
information.Collection (TA0035)Screen Capture (T1513)Malware can record screen
contentCollection (TA0035)Audio Capture (T1429)Malware captures Audio
recordingsCollection (TA0035)Call Control (T1616)Malware can make
callsCollection (TA0035)Protected User Data: Contact List (T1636.003)Malware
steals contactsCollection (TA0035)Protected User Data: SMS Messages
(T1636.004)Steals SMSs from the infected deviceCommand and Control
(TA0037)Dynamic Resolution: Domain Generation Algorithms (T1637.001)Malware has
implemented DGACommand and Control (TA0037)Encrypted Channel: Symmetric
Cryptography (T1521.001)Malware uses RC4 for encrypting C&C
communicationExfiltration (TA0036)Exfiltration Over C2 Channel (T1646)Sending
exfiltrated data over C&C server
INDICATORS OF COMPROMISE (IOCS)
IndicatorsIndicator
TypeDescription0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7
9373860987c13cff160251366d2c6eb5cbb3867e 0544cc3bcd124e6e3f5200416d073b77SHA256
SHA1 MD5Session-based
dropper880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc
cb6f9bcd4b491858583ee9f10b72c0582bf94ab1 d9763c68ebbfaeef4334cfefc54b322fSHA256
SHA1 MD5Second-stage
dropper6c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359
c7ebf2adfd6482e1eb2c3b05f79cdff5c733c47b f9d5b402acee67675f87d33d7d52b364SHA256
SHA1 MD5Final undetected Cerberus payloadhxxp://cmsspain[.homes
hxxp://consulting-service-andro[.ru hxxp://cmscrocospain[.shop
hxxp://cmsspain[.lol hxxp://cmsspain[.shopURLC&C
serverhxxp://elstersecure-plus[.online
hxxps://secure-plus[.online/ElsterSecure[.apkURLDistribution and phishing
URLhxxps://api[.telegram[.org/bot7779906180:AAE3uTyuoDX0YpV1DBJyz5zgwvvVg-up4xo/sendMessage?chat_id=5915822121&text=URLTelegram
bot URL4c7f90d103b54ba78b85f92d967ef4cdcc0102d3756e1400383e774d2f27bb2e
8f3e3a2a63110674ea63fb6abe4a1889fc516dd6851e8c47298c7987e67ff9b6
c570e075f9676e79a1c43e9879945f4fe0f54ef5c78a5289fe72ce3ef6232a14
a2c701fcea4ed167fdb3131d292124eb55389bc746fcef8ca2c8642ba925895c
8faa93be87bb327e760420b2faa33f0f972899a47c80dc2bc07b260c18dfcb14
ee87b4c50e5573cba366efaa01b8719902b8bed8277f1903e764f9b4334778d0
136d00629e8cd59a6be639b0eaef925fd8cd68cbcbdb71a3a407836c560b8579
6c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359
516282073b7d81c630d4c5955d396e1e47a2f476f03dea7308461fa62f465c11
5bd21d0007d34f67faeb71081309e25903f15f237c1f7b094634584ca9dd873e
880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc
0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7
6b8911dfdf1961de9dd2c3f9b141a6c5b1029311c66e9ded9bca4d21635c0c49
befe69191247abf80c5a725e1f1024f7195fa85a7af759db2546941711f6e6ae
9d966baefa96213861756fde502569d7bba9c755d13e586e7aaca3d0949cbdc3SHA256Malicious
First and second-stage files from the ErrorFather campaign
RELATED
STRONGPITY APT EXTENDS GLOBAL REACH WITH NEW INFRASTRUCTURE
StrongPity/Promethium APT, also known as APT-C-41, has been active since at
least 2012. It was first publicly reported in October 2016, after cyberattacks
against users in Belgium and Italy in which it used the watering-hole attack
technique to deliver malicious versions of WinRAR and the TrueCrypt file
encryption software. The…
December 31, 2020
In "Cyber news"
VULTUR BANKING TROJAN SPREADING VIA FAKE GOOGLE PLAY STORE APP
The Vultur malware is delivered as an add-on payload via a fake app called 2FA
Authenticator, which over 10,000 people have downloaded.
February 25, 2022
In "Cyber news"
CHAMELEON: A NEW ANDROID MALWARE SPOTTED IN THE WILD
CRIL analyzes the newly discovered Android Banking Trojan "Chameleon" targeting
users from Australia and Poland.
April 13, 2023
In "Trojan"
Technical Content! Subscribe to Unlock
Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents
Email
Country
Phone
Unlock this Content
GET THREAT ASSESSMENT REPORT
Identify External Threats Targeting Your Business
Get My Report
Free
Your browser does not support the video tag.
*
*
CISO’S GUIDE TO THREAT INTELLIGENCE 2024: BEST PRACTICES
Stay Ahead of Cyber Threats with Expert Insights and Strategies. Download Free
E-Book Now
Search for your darkweb exposure
Use Cyble's Largest Dark Web Monitoring Engine to Assess Your Exposure. Make
Sure You're Aware of the Risks by Searching Through Our 150,447,938,145 Records!
We Have Over 50,000 Data Breaches, Several Hacking Forums, Conversations
Indexed.
Download Now
Cybercrime Magazine · AI's Impact On Cybersecurity. Microsoft Recall & Beyond.
Beenu Arora, Co-Founder & CEO, Cyble.
Business Email Address*
Type your email…
Subscribe Now
Share the Post:
PrevPreviousCyble Sensors Detect Attacks on SAML, D-Link, Python Framework
NextWeekly IT Vulnerability Report: Cyble Urges Fixes for Ivanti, Microsoft Dark
Web ExploitsNext
RELATED POSTS
HEPTAX: UNAUTHORIZED RDP CONNECTIONS FOR CYBERESPIONAGE OPERATIONS
October 25, 2024
CYBLE UNVEILS FOUR GROUNDBREAKING CAPABILITIES FOR ENHANCED THREAT INTELLIGENCE
October 25, 2024
QUICK LINKS
Main Menu
* Home
* About Us
* Blog
* Cyble Partner Network (CPN)
* Press
* Responsible Disclosure
* Knowledge Hub
* Sitemap
PRODUCTS
Main Menu
* AmIBreached
* Cyble Vision
* Cyble Hawk
* Cyble Odin
* The Cyber Express
SOLUTIONS
Main Menu
* Attack Surface Management
* Brand Intelligence
* Threat Intelligence Platform
* Dark Web Monitoring
* Takedown and Disruption
* Vulnerability Management
PRIVACY POLICY
Main Menu
* AmIBreached
* Cyble Vision
* Cyble Trust Portal
SCHEDULE A PERSONALIZED DEMO TO UNCOVER THREATS THAT NO ONE TELLS YOU
Book a Demo
© 2024. Cyble Inc.(#1 Threat Intelligence Platform Company). All Rights Reserved
Made with from Cupertino
Twitter Linkedin Youtube
Request a demo
Upcoming Events
Research Reports
Talk To Sales
START TYPING AND PRESS ENTER TO SEARCH
Begin Search...
DISCOVER MORE FROM CYBLE
Subscribe now to keep reading and get access to the full archive.
Type your email…
Subscribe
Continue reading
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
Stay ahead in Cybersecurity with Cyble Research. You can unsubscribe at any
time.
AllowCancel
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our 19 advertising partners use cookies and
similar technologies on this site and use personal data (e.g., your IP address).
If you consent, the cookies, device identifiers, or other information can be
stored or accessed on your device for the purposes described below. You can
click "Allow All" or "Decline All" or click Settings above to customise your
consent regarding the purposes and features for which your personal data will be
processed and/or the partners with whom you will share personal data.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalised content profile; ●
Select personalised content; ● Personalised advertising, advertising
measurement, audience research and services development; ● Services development.
For some of the purposes above, our advertising partners: ● Use precise
geolocation data. Some of our partners rely on their legitimate business
interests to process personal data. View our advertising partners if you wish to
provide or deny consent for specific partners, review the purposes each partner
believes they have a legitimate interest for, and object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences