The ErrorFather campaign, employing a stealthy Cerberus Android Banking Trojan, has recently intensified its attacks. By using a multi-stage infection chain, the campaign evades detection and targets unsuspecting users with encrypted payloads.
The malicious payload leverages keylogging, overlay attacks, VNC, and DGA to execute harmful actions, where DGA ensures continued operation by dynamically updating C&C servers, making it difficult to disrupt.
The Cerberus banking trojan, initially leaked in 2020, has spawned numerous variants like Alien, ERMAC, and Phoenix, which are often sold on underground forums and target financial and social media apps using overlay attacks and accessibility service exploitation.
Recent samples posing as Chrome and Play Store apps employ multi-stage droppers to deliver Cerberus-based payloads, demonstrating its continued prevalence in the Android malware landscape.
It has been active since mid-September 2024 and involves a first-stage dropper that communicates with a Telegram bot to deliver a final-signed APK, which sends device information to the bot, and the campaign has seen a significant increase in activity in recent weeks.
A multi-stage dropper disguises itself as a legitimate app and uses a session-based install to deploy a packed second stage that decrypts the final malicious payload using a native library, which bypasses antivirus detection and injects itself into the system.
The campaign utilized a modified Cerberus variant, obfuscated to evade detection. Despite changes in the C&C structure, significant code similarities between the campaign’s payload and Cerberus confirmed its connection to this banking trojan.
It employs a dual C&C communication method, as first it receives a list of static C&C servers, and second, it utilizes a DGA based on the Istanbul timezone to generate dynamic C&C domains.
These domains are stored in the “ConnectGates” setting, while the malware switches to the DGA-generated domains when the primary C&C server becomes unavailable.
According to CRIL, the malware performs various actions, including sending device information, application logs, key logs, SMSs, contacts, and captured images to a C&C server.
While it also checks for installed applications and registers the infected device, which are similar to those observed in previous Cerberus variants, although the action identifiers have been renamed.
The VNC functionality in this campaign utilizes MediaProjection to capture screen images and WebSocket for real-time transmission and interaction, allowing remote control of the infected device, similar to the Phoenix botnet’s use of HVNC.
The Cerberus malware identifies potential targets by sending installed application package names. Once a target is identified, it retrieves an HTML injection page to overlay a fake phishing page over the legitimate app, which tricks victims into entering their login credentials and credit card details on the fraudulent banking page.
The ErrorFather campaign uses a modified Cerberus banking Trojan, which employs VNC, keylogging, and HTML injection to steal financial information by communicating with a Telegram bot and has evaded detection by antivirus engines.
