• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – CursedChrome Extension Turns Browser into a Hacker’s Proxy
May 4, 2020
Rewterz Threat Alert – CoinMiner Exploits SaltStack Vulnerability
May 4, 2020

Rewterz Threat Alert – Cerberus Variant Using MDM As Infection Vector

May 4, 2020

Severity

High

Analysis Summary

Attackers used a multinational company’s compromised Mobile Device Manager (MDM) server to infect more than 75% of managed Android devices with the Cerberus banking trojan. MDM (also known as Enterprise Mobility Management – EMM) is a mechanism used by companies of all sizes to enroll enterprise-owned devices with the same management server to make it easier to perform tasks such as delivering company-wide device configurations, deploying applications, and more.

Once deployed onto an Android device, Cerberus can be used by the attackers to steal a wide range of highly sensitive information including but not limited to call logs, text messages, credentials, Google Authenticator 2FA codes, phone unlocking patterns, as well as to collect info on installed apps and log keystrokes. After the attackers successfully compromised the unnamed company’s MDM server following a targeted attack, they used it to remotely deploy the banking trojan malware on over 75% of all managed Android devices. This is the first time that an incident of mobile malware distribution is seen using the MDM server as an attack vector.

Right after infecting a device, the malware will display a dialog camouflaged as an update for the Android Accessibility Service which will keep popping up on the screen until the victim gives in and hits the “Enable Update” button. After it gains access to the Accessibility Service, Cerberus will later use it for clicking on menu options and to bypass user interaction to access services like banks, email, messaging, and social media networks.

Cerberus also has TeamViewer-based remote access Trojan (RAT) capabilities that make it possible for its operators to have full remote control of infected devices. Additionally, it uses overlays to grab the screen-lock pattern to enable the attackers to the devices remotely. The malware downloads a ring0.apk module which adds the ability to harvest contacts, SMS messages, and the list of installed applications and send it to the command and control server.

Impact

  • Unauthorized Remote Access
  • Financial Theft
  • Credential Theft
  • 2FA Bypass
  • Device Takeover

Indicators of Compromise

MD5

  • ac0ae915c8eae4060062af1610db67d7
  • d295f8e340692f25fabb46533d708c78
  • 43b0c404994f9bed8d02d69e127b0dc8

SHA-256

  • 4254670ea5f353263570792a8ff4a1e6ea35999c2454fa1ec040786d7be33b69
  • 6291192d0c2f6318f9a4f345203b35cfe140be53889f9fefdd8e057a4f02e898
  • 3ef8349d4b717d73d31366dfbe941470e749222331edd0b9484955a212080ad8

SHA1

  • 6b55e552ffd012e95a2eeb6dfac4a1983270ef99
  • 140eb9d273cdfa9a6f004165569a942784a26535
  • 83424215154b1fae5976bf8a23341b6eb1f8f7f5

Source IP

  • 91[.]210[.]169[.]114

Remediation

  • Block the threat indicators at their respective controls.
  • Verify sources of email attachments and delete them without opening if they can’t be validated.
  • Keep applications and operating systems running at the current released patch level.
  • Closely monitor traffic for MDM servers.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.