Cerberus

Malware updated a month ago (2024-10-15T14:00:58.654Z)

Download STIX

Preview STIX

Cerberus is a potent Android banking trojan that first surfaced on underground marketplaces in 2019. This malicious software, which operates as a hidden application on the victim's device, infiltrates systems via suspicious downloads, emails, or websites without the user's awareness. Once inside, it can steal personal information and disrupt operations. A new sophisticated campaign has been detected using an undetected Cerberus Android banking Trojan payload, according to cybersecurity provider Cyble. These samples use a multi-stage dropper to deploy a banking trojan payload that leverages the Cerberus banking Trojan. In 2020, following the leak of Cerberus' source code, a new variant called 'Alien' emerged, leveraging the same codebase. The subsequent year, another banking trojan named 'ERMAC,' which also builds on Cerberus' code, was observed targeting over 450 financial and social media apps. Despite being an older malware strain, the modified Cerberus used in these campaigns has successfully evaded detection by antivirus engines, further underscoring the persistent risks posed by retooled malware from previous leaks. The threat actor behind ErrorFather slightly modified the malware, but it remains primarily based on the original Cerberus code. "Phoenix," claiming to be a fresh botnet, was found being sold on underground forums. However, it was identified as yet another fork of Cerberus, utilizing its exact source code, whereas Alien and ERMAC had introduced some modifications. It's critical to note that all versions of Siemens Cerberus PRO UL Compact Panel FC922/924 and Siemens Cerberus PRO UL Engineering Tool prior to MP4 are vulnerable to this malware. As a countermeasure, users of these tools should update to MP4 or later versions to mitigate the risk.

Description last updated: 2024-10-15T13:16:52.988Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Errorfather is a possible alias for Cerberus. ErrorFather is an ongoing malware campaign that has escalated in activity during September and October 2024, indicating the threat actor's intent to scale and target specific victims. This malicious software poses a significant risk to computer systems, capable of infiltrating through suspicious dow	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Android

Malware

Trojan

Vulnerability

Siemens

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Teabot Malware is associated with Cerberus. TeaBot, also known as Anatsa, is a sophisticated malware that has been impacting Android devices. It first emerged as a significant threat in 2022 when it was identified as one of the most active banking malware families alongside Flubot, Sharkbot, and Hydra. TeaBot, along with other notable banking	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Bianlian Threat Actor is associated with Cerberus. BianLian is a threat actor group known for its malicious activities, primarily involving ransomware attacks. The group has been particularly active in 2024, exploiting bugs in JetBrains TeamCity software to launch its attacks. This method of attack has caused significant disruptions and data breache	Unspecified	2

Source Document References

Information about the Cerberus Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	a month ago	Cerberus Android Banking Trojan Deployed in New Malicious Campaign
Bitdefender	a month ago	Unveiling Mobile App Secrets: A 6-Month Deep Dive into Surprising Behavior Patterns
DARKReading	4 months ago	'BadPack' APK Files Make Android Malware Hard to Detect
Unit42	4 months ago	Beware of BadPack: One Weird Trick Being Used Against Android Devices
Canadian Centre for Cyber Security	6 months ago	[Control systems] CISA ICS security advisories (AV24-283) - Canadian Centre for Cyber Security
CISA	6 months ago	Siemens Desigo Fire Safety UL and Cerberus PRO UL Fire Protection Systems \| CISA
Canadian Centre for Cyber Security	8 months ago	[Control systems] CISA ICS security advisories (AV24-150) - Canadian Centre for Cyber Security
CERT-EU	8 months ago	ChatGPT side-channel attack has easy fix: token obfuscation
CERT-EU	8 months ago	Multiple vulnerabilities in Siemens Sinteso EN and Cerberus PRO EN Fire Protection Systems
CERT-EU	8 months ago	Remote code execution in Siemens Sinteso EN and Cerberus PRO EN Fire Protection Systems
Canadian Centre for Cyber Security	8 months ago	[Control systems] Siemens security advisory (AV24-137) - Canadian Centre for Cyber Security
CERT-EU	8 months ago	Gen. Mark Milley’s Second Act: Multimillionaire
Bitdefender	10 months ago	Unveiling Mobile App Secrets: A 6-Month Deep Dive into Surprising Behavior Patterns
CERT-EU	a year ago	Search \| arXiv e-print repository
CERT-EU	a year ago	The rise of mobile app overlay attacks and how to defend against them [Q&A]
CERT-EU	a year ago	Semkel and Searchlight Cyber Form Strategic Partnership – Global Security Mag Online
CERT-EU	a year ago	Semkel and Searchlight Cyber Form Strategic Partnership – Global Security Mag Online
Unit42	a year ago	Leveraging a Hooking Framework to Expand Malware Detection Coverage on the Android Platform
CERT-EU	2 years ago	Hackers Allegedly Stole Activision's Upcoming Call Of Duty Games, Employee Data - TechShout
Recorded Future	2 years ago	2022 Adversary Infrastructure Report