Cerberus

Malware updated 9 months ago (2024-11-29T14:19:28.250Z)
Download STIX
Preview STIX
Cerberus is a potent Android banking trojan that first surfaced on underground marketplaces in 2019. This malicious software, which operates as a hidden application on the victim's device, infiltrates systems via suspicious downloads, emails, or websites without the user's awareness. Once inside, it can steal personal information and disrupt operations. A new sophisticated campaign has been detected using an undetected Cerberus Android banking Trojan payload, according to cybersecurity provider Cyble. These samples use a multi-stage dropper to deploy a banking trojan payload that leverages the Cerberus banking Trojan. In 2020, following the leak of Cerberus' source code, a new variant called 'Alien' emerged, leveraging the same codebase. The subsequent year, another banking trojan named 'ERMAC,' which also builds on Cerberus' code, was observed targeting over 450 financial and social media apps. Despite being an older malware strain, the modified Cerberus used in these campaigns has successfully evaded detection by antivirus engines, further underscoring the persistent risks posed by retooled malware from previous leaks. The threat actor behind ErrorFather slightly modified the malware, but it remains primarily based on the original Cerberus code. "Phoenix," claiming to be a fresh botnet, was found being sold on underground forums. However, it was identified as yet another fork of Cerberus, utilizing its exact source code, whereas Alien and ERMAC had introduced some modifications. It's critical to note that all versions of Siemens Cerberus PRO UL Compact Panel FC922/924 and Siemens Cerberus PRO UL Engineering Tool prior to MP4 are vulnerable to this malware. As a countermeasure, users of these tools should update to MP4 or later versions to mitigate the risk.
Description last updated: 2024-10-15T13:16:52.988Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Errorfather is a possible alias for Cerberus. ErrorFather is an ongoing malware campaign that has escalated in activity during September and October 2024, indicating the threat actor's intent to scale and target specific victims. This malicious software poses a significant risk to computer systems, capable of infiltrating through suspicious dow
2
Ermac is a possible alias for Cerberus. ERMAC is a malicious software (malware) that was first observed in 2021 as a banking trojan. It targets over 450 financial and social media applications, with its core features designed to send SMS messages, display phishing windows on top of legitimate apps, extract lists of installed applications,
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Android
Trojan
Malware
Source
Botnet
Banking
Siemens
Vulnerability
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Teabot Malware is associated with Cerberus. TeaBot, also known as Anatsa, is a sophisticated malware that has been impacting Android devices. It first emerged as a significant threat in 2022 when it was identified as one of the most active banking malware families alongside Flubot, Sharkbot, and Hydra. TeaBot, along with other notable bankingUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The BianLian Threat Actor is associated with Cerberus. BianLian is a threat actor that has been active in cybercrime, leveraging various techniques for malicious intent. Prior to January 2024, the group used an encryptor (encryptor.exe) that modified all encrypted files to have the .bianlian extension and created a ransom note in each affected directoryUnspecified
2
Source Document References
Information about the Cerberus Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
19 days ago
InfoSecurity-magazine
a year ago
Bitdefender
a year ago
DARKReading
a year ago
Unit42
a year ago
Canadian Centre for Cyber Security
a year ago
CISA
a year ago
Canadian Centre for Cyber Security
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Canadian Centre for Cyber Security
a year ago
CERT-EU
a year ago
Bitdefender
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
Unit42
2 years ago
CERT-EU
3 years ago