S0480 Cerberus
Cerberus is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of Cerberus claim was used in private operations for two years.1
| Item | Value |
|---|---|
| ID | S0480 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 26 June 2020 |
| Last Modified | 11 September 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1432 | Access Contact List | Cerberus can obtain the device’s contact list.1 |
| mobile | T1418 | Application Discovery | Cerberus can obtain a list of installed applications.1 |
| mobile | T1412 | Capture SMS Messages | Cerberus can collect SMS messages from a device.1 |
| mobile | T1476 | Deliver Malicious App via Other Means | Cerberus has been delivered to the device via websites that prompt the user to “[…] install Adobe Flash Player” and then downloads the malicious APK to the device.3 |
| mobile | T1407 | Download New Code at Runtime | Cerberus can update the malicious payload module on command.1 |
| mobile | T1523 | Evade Analysis Environment | Cerberus avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.1 |
| mobile | T1417 | Input Capture | Cerberus can record keystrokes.1 |
| mobile | T1516 | Input Injection | Cerberus can inject input to grant itself additional permissions without user interaction and to prevent application removal.12 |
| mobile | T1411 | Input Prompt | Cerberus can generate fake notifications and launch overlay attacks against attacker-specified applications.1 |
| mobile | T1478 | Install Insecure or Malicious Configuration | Cerberus disables Google Play Protect to prevent its discovery and deletion in the future.1 |
| mobile | T1430 | Location Tracking | Cerberus can collect the device’s location.1 |
| mobile | T1444 | Masquerade as Legitimate Application | Cerberus has pretended to be an Adobe Flash Player installer.3 |
| mobile | T1406 | Obfuscated Files or Information | Cerberus uses standard payload and string obfuscation techniques.1 |
| mobile | T1582 | SMS Control | Cerberus can send SMS messages from a device.1 |
| mobile | T1437 | Standard Application Layer Protocol | Cerberus communicates with the C2 server using HTTP.2 |
| mobile | T1508 | Suppress Application Icon | Cerberus hides its icon from the application drawer after being launched for the first time.1 |
| mobile | T1426 | System Information Discovery | Cerberus can collect device information, such as the default SMS app and device locale.12 |
| mobile | T1509 | Uncommonly Used Port | Cerberus communicates with the C2 over port 8888.2 |
| mobile | T1576 | Uninstall Malicious Application | Cerberus can uninstall itself from a device on command.1 |
References
-
Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020. ↩↩↩↩
-
Z. Doffman. (2019, August 16). Warning As Devious New Android Malware Hides In Fake Adobe Flash Player Installations (Updated). Retrieved June 26, 2020. ↩↩