S0480 Cerberus
Cerberus is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of Cerberus claim was used in private operations for two years.1
| Item | Value |
|---|---|
| ID | S0480 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 26 June 2020 |
| Last Modified | 11 September 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | Cerberus communicates with the C2 server using HTTP.2 |
| mobile | T1407 | Download New Code at Runtime | Cerberus can update the malicious payload module on command.1 |
| mobile | T1628 | Hide Artifacts | - |
| mobile | T1628.001 | Suppress Application Icon | Cerberus hides its icon from the application drawer after being launched for the first time.1 |
| mobile | T1629 | Impair Defenses | - |
| mobile | T1629.003 | Disable or Modify Tools | Cerberus disables Google Play Protect to prevent its discovery and deletion in the future.1 |
| mobile | T1630 | Indicator Removal on Host | - |
| mobile | T1630.001 | Uninstall Malicious Application | Cerberus can uninstall itself from a device on command.1 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.001 | Keylogging | Cerberus can record keystrokes.1 |
| mobile | T1417.002 | GUI Input Capture | Cerberus can generate fake notifications and launch overlay attacks against attacker-specified applications.1 |
| mobile | T1516 | Input Injection | Cerberus can inject input to grant itself additional permissions without user interaction and to prevent application removal.12 |
| mobile | T1430 | Location Tracking | Cerberus can collect the device’s location.1 |
| mobile | T1509 | Non-Standard Port | Cerberus communicates with the C2 using HTTP requests over port 8888.2 |
| mobile | T1406 | Obfuscated Files or Information | Cerberus uses standard payload and string obfuscation techniques.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.003 | Contact List | Cerberus can obtain the device’s contact list.1 |
| mobile | T1636.004 | SMS Messages | Cerberus can collect SMS messages from a device.1 |
| mobile | T1582 | SMS Control | Cerberus can send SMS messages from a device.1 |
| mobile | T1418 | Software Discovery | Cerberus can obtain a list of installed applications.1 |
| mobile | T1426 | System Information Discovery | Cerberus can collect device information, such as the default SMS app and device locale.12 |
| mobile | T1633 | Virtualization/Sandbox Evasion | - |
| mobile | T1633.001 | System Checks | Cerberus avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.1 |
References
-
Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020. ↩↩↩↩