Rewterz Threat Alert – Cerberus Variant Using MDM As Infection Vector

Severity

High

Analysis Summary

Attackers used a multinational company’s compromised Mobile Device Manager (MDM) server to infect more than 75% of managed Android devices with the Cerberus banking trojan. MDM (also known as Enterprise Mobility Management – EMM) is a mechanism used by companies of all sizes to enroll enterprise-owned devices with the same management server to make it easier to perform tasks such as delivering company-wide device configurations, deploying applications, and more.

Once deployed onto an Android device, Cerberus can be used by the attackers to steal a wide range of highly sensitive information including but not limited to call logs, text messages, credentials, Google Authenticator 2FA codes, phone unlocking patterns, as well as to collect info on installed apps and log keystrokes. After the attackers successfully compromised the unnamed company’s MDM server following a targeted attack, they used it to remotely deploy the banking trojan malware on over 75% of all managed Android devices. This is the first time that an incident of mobile malware distribution is seen using the MDM server as an attack vector.

Right after infecting a device, the malware will display a dialog camouflaged as an update for the Android Accessibility Service which will keep popping up on the screen until the victim gives in and hits the “Enable Update” button. After it gains access to the Accessibility Service, Cerberus will later use it for clicking on menu options and to bypass user interaction to access services like banks, email, messaging, and social media networks.

Cerberus also has TeamViewer-based remote access Trojan (RAT) capabilities that make it possible for its operators to have full remote control of infected devices. Additionally, it uses overlays to grab the screen-lock pattern to enable the attackers to the devices remotely. The malware downloads a ring0.apk module which adds the ability to harvest contacts, SMS messages, and the list of installed applications and send it to the command and control server.

Impact

• Unauthorized Remote Access
• Financial Theft
• Credential Theft
• 2FA Bypass
• Device Takeover

Indicators of Compromise

MD5

• ac0ae915c8eae4060062af1610db67d7
• d295f8e340692f25fabb46533d708c78
• 43b0c404994f9bed8d02d69e127b0dc8

SHA-256

• 4254670ea5f353263570792a8ff4a1e6ea35999c2454fa1ec040786d7be33b69
• 6291192d0c2f6318f9a4f345203b35cfe140be53889f9fefdd8e057a4f02e898
• 3ef8349d4b717d73d31366dfbe941470e749222331edd0b9484955a212080ad8

SHA1

• 6b55e552ffd012e95a2eeb6dfac4a1983270ef99
• 140eb9d273cdfa9a6f004165569a942784a26535
• 83424215154b1fae5976bf8a23341b6eb1f8f7f5

Source IP

• 91[.]210[.]169[.]114

Remediation

• Block the threat indicators at their respective controls.
• Verify sources of email attachments and delete them without opening if they can’t be validated.
• Keep applications and operating systems running at the current released patch level.
• Closely monitor traffic for MDM servers.