Labs - Malware Analysis

New Cerberus Campaign Impersonates Amazon

Written by David Morán | Jul 20, 2020 7:08:53 AM

Much of the world has already begun to enter the "re-opening" phase, and some parts have already entered the so-called "new normal", in which the idea is that we can carry out practically the same activities as before, but with greater caution in order to avoid new outbreaks.

Introduction

Along with this "re-opening" in the real world, it seems that a "re-opening" is also beginning to take place in the malware world.

In previous posts we have analyzed how malware developers are able to use a situation as complicated as a pandemic to infect a greater number of users thanks to campaigns related to the situation.

In this analysis, we saw how practically all known types of malware have used COVID-19 in their March and May campaigns to trick their victims and get them to install malicious apps on their devices.

However, in June we began to see other variants of these campaigns, but whose operation was the same as the campaigns commonly used by this malware: fake Flash Player apps. But now, in this "return to the new normal" for the world of malware distribution, we are seeing a new campaign used for the distribution of the Cerberus bank malware for Android.

It has drawn attention for not being a regular Flash Player campaign, since instead the developers have chosen to impersonate Amazon and offer a fake app for customers.

 

Usual Cerberus Campaigns

Cerberus, just like most of the bank malware for Android, frequently uses fake apps to make the user believe that the app is something it's not, and what it does is spy on the user's activity and steal their data, including their bank credentials and other popular services.

The distribution campaigns in the Android bankers revolve around Flash Player, which is the popular Adobe player chosen by attackers to make their victims end up installing the malicious app.

Cerberus campaigns using fake Flash Player apps

Although it is most common to use the Adobe player, other brands have also been used to distribute malware, such as telecommunications apps that offer data bundles, antivirus software or Google Play updates, the latter of which is the most common case of impersonation, after the Flash Player.

 

Amazon Campaign

After the lockdown and fad of COVID-19 related campaigns and radar apps, the attackers behind Cerberus appear to be working on new distribution campaigns that look beyond the usual Flash Player or the use of fake Google Play updates.

In mid-June, a new Cerberus campaign was detected that, as a novelty, introduced a different brand for the distribution of the trojan, trying to increase the number of infected users as much as possible.

Fake website used for distribution

In the previous image, we can see that in this campaign, a fake Amazon website was used in which the user is notified that a new app exists, and thus the download of the malicious app begins.

The icon and title of the app impersonate the Amazon application, and as indicated by the fake website, it may appear to be the legitimate application. However, this is not the case, and once installed it asks the user to provide accessibility permissions to thus deploy the malicious functionality and initiate the data theft.

Window requesting accessibility permissions to be provided

At a technical level, the sample does not include any new developments, it maintains the usual functionality and the list of affected entities remains unchanged, everything is the same as that described in our Cerberus analysis and in our subsequent update on the new version in March.

In this new sample, RC4 encryption continues to be used for communication with the control server and for text string obfuscation, thus making it difficult to analyze the samples. It also continues to use the same malicious code decryption/unpacking strategy, which is included in a fake JSON file, which is actually a code DEX file, which is decrypted with RC4 and loaded at runtime.


Fake JSON file encrypted with malicious code. String encryption

 

Conclusions

As we can see, attackers are constantly looking for new ways to infect their victims.

During the lockdown, malicious apps related to COVID-19 were used to try to infect as many users as possible. Now that things are starting to get back to normal and the biological virus is losing strength, attackers are looking for new ways to distribute their creations.

In this case, the surprise came from the Cerberus bank trojan for Android, which does not include any new developments related to its functionalities, but rather the new campaign that attackers have used to distribute the sample.

Unlike the normal campaigns that used the Adobe Flash Player, the online shopping giant Amazon was used for the first time in this campaign. The malware is distributed as if it were a legitimate update to the app, through a web with the same appearance as the official Amazon website.
.