The ErrorFather campaign, a new variant of the Cerberus banking trojan, emerged in September 2024. It uses a multi-stage dropper to spread and has seen a rise in activity, posing risks to Android users.
All about ErrorFather
The malware deploys a multi-stage dropper process to evade detection. Initially, the first-stage dropper installs a second-stage dropper, which is hidden within its assets and is triggered via session-based installation.
The second dropper is packed with a native library (libmcfae.so), which it uses to decrypt and execute the final malicious payload.
This final payload, decrypted.dex, is loaded onto the system and enables dangerous functionalities like keylogging, performing overlay attacks to steal sensitive information (such as login credentials), and granting the attackers remote access to the compromised device.
The ErrorFather campaign used a modified Cerberus banking trojan, hidden through obfuscation and code reorganization.
Initially flagged as a new banking trojan due to its detection count, further analysis showed strong similarities with Cerberus, especially in its settings and structure.
However, the ErrorFather variant featured a different command-and-control (C&C) system, distinct from the original Cerberus and the Phoenix botnet, highlighting its unique evolution.
The malware retrieves C&C server lists either from a primary static server or dynamically through a DGA, which generates domains based on Istanbul time using MD5 and SHA-1 hashes, then appends one of four extensions.
When the primary C&C server is unreachable, the malware switches to connecting with dynamically generated domains, similar to what was seen in the Alien malware, though with different domain extensions and no static list.
The malware collects device info, retrieves and stores data from the server, and captures screen images for remote access (VNC). It also uses accessibility services to gather sensitive data, like keystrokes and contacts, and sends error logs to the C&C server. Additionally, it monitors registered users and sends device status updates, highlighting its ongoing control over the infected device.
The Cerberus malware uses overlay attacks to trick victims into entering sensitive data by sending a list of installed apps to its C&C server. Once a target is identified, it overlays a phishing page on the app, capturing login credentials and credit card details for financial fraud.
The ErrorFather campaign, a Cerberus-based Trojan, uses VNC, keylogging, and HTML injection to steal financial data. Despite its age, Cerberus remains a threat due to its ability to evade detection and cybercriminals repurposing its leaked source code.
Leave A Comment