Rewterz Threat Alert – ATM Malware & Mobile Banking Malware – IoCs

Severity

High

Analysis Summary

Firstly, a recent ATM malware is found searching for the factory Logical Service Names in order to target ATMs. Additionally, Mobile Banking Malware like Cerberus are found targeting hundreds of banking applications in recent campaigns. The new variant of Cerberus serves for a RAT feature to perform fraud from the infected device. This new Cerberus variant has undergone refactoring of the code base and updates of the C2 communication protocol, but most notably it got enhanced with the RAT capability, possibility to steal device screen-lock credentials (PIN code or swipe pattern) and 2FA tokens from the Google Authenticator application. The RAT service is able to traverse the file system of the device and download its contents. On top of that it can also launch TeamViewer and setup connections to it, providing threat actors full remote access of the device. Abusing the Accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application. When the app is running, the Trojan can get the content of the interface and can send it to the C2 server, enabling bypass of authentication services that rely on OTP codes.

Impact

• Credential Theft
• Authentication Bypass
• Unauthorized Remote Access
• Device Takeover
• Financial Fraud
• Data Ex-filtration 

Indicators of Compromise

MD5

• e9202877f74343ba4aa800aa21ecd305
• 689b1ddb04b237bb6b01953e4158f6a4
• 091a18bad61f832c17ac28e18abf3d14
• 79157c3e0a3aeab23d190d4b2ebe045b
• bfa086222aaac42470e1c776a9f348a7
• 8ff2ac17c07768c5079e646dd9f1e550
• 691b562c76fb180f514d6852cb561ebe
• 79526043ed82c2bec9db9f4462e3b0c8
• 4f7982fe10e348a45b81ca0fb0ac3b33
• b6eb574f4d9e64fcf101c69ffa7d3fcb
• 12a57ba309cc0e9421d36abbf78d51e6
• f40d8aa358b8d31e644a88bf5b3f5ee5

SHA-256

• 7cea6510434f2c8f28c9dbada7973449bb1f844cfe589cdc103c9946c2673036
• cb104f9c042c777d97587b2b93843ac220b01095aa83b0153c8d29a1f382dddb
• a6f0fee73ec2ce4a75564637f57d661bab728b71c9237143ffc8913dd448fdf8
• 66f83000c34469682d966fb4053534eb645b32651a81ec5aca95b23987ce3456
• 9d4ce9cce72ec64761014aecbf1076041a8d790771fa8f8899bd3e2b2758281d
• f3c6e10744efd192c1b137751dbb9941a01fe548eb4f08c3829e1f54793f0347
• 53410fb1861dc954a9c6d27908c50e754e9774eb4404ff408cf5ac7f8996737c
• c3adb0a1a420af392de96b1150f0a23d8826c8207079e1dc268c07b763fe1af7
• 59ac851979b00a4c927068a36154cd85ecca89d9dd8db18ab77268c772d082fc
• 4ff95cadf83b47d1305f1deb4315e6387c4c0d58a0bdd12f74e866938c48baa5
• 74180939b0340359eb6c4583e6fed306759ff2fad214a64946ddb17cc0aec5dd
• a16a93d229b38e175c93589d56c392901fa1137b24ab994c50d6f535304602d4

Remediation

• Block the threat indicators at their respective controls.
• Download applications from authentic sources only.
• Be very careful while granting permissions to applications. 
• For ATM protection, change the logical service name (LSN) coming from factory so the malware can’t find the LSN.