Hidden in Plain Sight: ErrorFather’s Deadly Deployment of Cerberus

Oct. 15, 2024, 9:45 a.m.

Description

This report examines a campaign called 'ErrorFather' that utilizes an undetected variant of the Cerberus Android Banking Trojan. The campaign employed a sophisticated multi-stage dropper technique to deploy the malicious payload, which incorporated features like keylogging, overlay attacks, VNC, and a Domain Generation Algorithm (DGA) for resilience. Despite being based on leaked Cerberus code from 2019, this variant successfully evaded detection, highlighting the persistent threats posed by retooled malware. The report provides a detailed technical analysis of the malware's functionality and the campaign's tactics.

External References

https://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/
https://otx.alienvault.com/pulse/670e3308e2ce0616e8af8487
Tags
malware
android
dropper
banking
overlay
2024-10-15
cerberus

Date

  • Created: Oct. 15, 2024, 9:16 a.m.
  • Published: Oct. 15, 2024, 9:16 a.m.
  • Modified: Oct. 15, 2024, 9:45 a.m.

Indicators

  • c570e075f9676e79a1c43e9879945f4fe0f54ef5c78a5289fe72ce3ef6232a14
  • 9d966baefa96213861756fde502569d7bba9c755d13e586e7aaca3d0949cbdc3
  • 8faa93be87bb327e760420b2faa33f0f972899a47c80dc2bc07b260c18dfcb14
  • 880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc
  • 6c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359
  • 6b8911dfdf1961de9dd2c3f9b141a6c5b1029311c66e9ded9bca4d21635c0c49
  • 516282073b7d81c630d4c5955d396e1e47a2f476f03dea7308461fa62f465c11
  • 4c7f90d103b54ba78b85f92d967ef4cdcc0102d3756e1400383e774d2f27bb2e
  • 136d00629e8cd59a6be639b0eaef925fd8cd68cbcbdb71a3a407836c560b8579
  • 0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7
  • c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
  • a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
  • 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647
  • https://api.telegram.org/bot7779906180:AAE3uTyuoDX0YpV1DBJyz5zgwvvVg-up4xo/sendMessage?chat_id=5915822121&text=
  • https://secure-plus.online/ElsterSecure.apk
  • http://elstersecure-plus.online
  • http://consulting-service-andro.ru
  • http://cmsspain.shop
  • http://cmsspain.homes
  • http://cmscrocospain.shop
Download all indicators here!

Attack Patterns

  • Cerberus