New Cerberus Variant “ErrorFather” Evades Detection

Cyble researchers have uncovered a new and sophisticated variant of the Cerberus Android banking trojan, named “ErrorFather,” that has managed to evade detection by antivirus engines. This new malware variant utilizes a multi-stage dropper to deploy its payload and carries out financial fraud through remote attacks, keylogging, and overlay attacks.

The researchers have noted that the ErrorFather campaign highlights how cybercriminals are repurposing and exploiting leaked malware source code, emphasizing the ongoing threat of Cerberus-based attacks even years after the original malware’s discovery.

Despite being based on older malware strains, the modified Cerberus used in the ErrorFather campaign has successfully evaded detection by antivirus engines, underscoring the risks posed by retooled malware from previous leaks.

The threat actor behind ErrorFather has modified Cerberus variable names, used more obfuscation, and reorganized the code to effectively evade detection. The malware uses a Domain Generation Algorithm to create a Command and Control server, with the overlay technique remaining unchanged from earlier variants.

The researchers have identified about 15 samples used in the ErrorFather campaign, with an active Command and Control server indicating ongoing campaigns. The malware poses as Chrome and Play Store apps, using a session-based dropper to deploy a banking trojan payload.

Overall, the ErrorFather campaign serves as a stark reminder of the evolving tactics used by cybercriminals to carry out financial fraud and the importance of staying vigilant against such threats.