Cerberus

Malware updated 23 days ago (2024-11-29T14:19:28.250Z)
Download STIX
Preview STIX
Cerberus is a potent Android banking trojan that first surfaced on underground marketplaces in 2019. This malicious software, which operates as a hidden application on the victim's device, infiltrates systems via suspicious downloads, emails, or websites without the user's awareness. Once inside, it can steal personal information and disrupt operations. A new sophisticated campaign has been detected using an undetected Cerberus Android banking Trojan payload, according to cybersecurity provider Cyble. These samples use a multi-stage dropper to deploy a banking trojan payload that leverages the Cerberus banking Trojan. In 2020, following the leak of Cerberus' source code, a new variant called 'Alien' emerged, leveraging the same codebase. The subsequent year, another banking trojan named 'ERMAC,' which also builds on Cerberus' code, was observed targeting over 450 financial and social media apps. Despite being an older malware strain, the modified Cerberus used in these campaigns has successfully evaded detection by antivirus engines, further underscoring the persistent risks posed by retooled malware from previous leaks. The threat actor behind ErrorFather slightly modified the malware, but it remains primarily based on the original Cerberus code. "Phoenix," claiming to be a fresh botnet, was found being sold on underground forums. However, it was identified as yet another fork of Cerberus, utilizing its exact source code, whereas Alien and ERMAC had introduced some modifications. It's critical to note that all versions of Siemens Cerberus PRO UL Compact Panel FC922/924 and Siemens Cerberus PRO UL Engineering Tool prior to MP4 are vulnerable to this malware. As a countermeasure, users of these tools should update to MP4 or later versions to mitigate the risk.
Description last updated: 2024-10-15T13:16:52.988Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Errorfather is a possible alias for Cerberus. ErrorFather is an ongoing malware campaign that has escalated in activity during September and October 2024, indicating the threat actor's intent to scale and target specific victims. This malicious software poses a significant risk to computer systems, capable of infiltrating through suspicious dow
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Android
Malware
Trojan
Vulnerability
Siemens
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Teabot Malware is associated with Cerberus. TeaBot, also known as Anatsa, is a sophisticated malware that has been impacting Android devices. It first emerged as a significant threat in 2022 when it was identified as one of the most active banking malware families alongside Flubot, Sharkbot, and Hydra. TeaBot, along with other notable bankingUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The BianLian Threat Actor is associated with Cerberus. BianLian is a threat actor that has been active in cybercrime, leveraging various techniques for malicious intent. Prior to January 2024, the group used an encryptor (encryptor.exe) that modified all encrypted files to have the .bianlian extension and created a ransom note in each affected directoryUnspecified
2
Source Document References
Information about the Cerberus Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
2 months ago
Bitdefender
2 months ago
DARKReading
5 months ago
Unit42
5 months ago
Canadian Centre for Cyber Security
7 months ago
CISA
7 months ago
Canadian Centre for Cyber Security
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
Canadian Centre for Cyber Security
9 months ago
CERT-EU
9 months ago
Bitdefender
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Unit42
a year ago
CERT-EU
2 years ago
Recorded Future
2 years ago