ThreatFabric, an Amsterdam cyber security company specializing in threats to the financial sector, has identified the “Cerberus” Trojan that steals codes for 2-Factor Authentication (2FA) generated by the Google Authenticator app for internet banking, email accounts and cryptocurrency exchanges.
Coinbase, the US-based cryptocurrency exchange, is one of the crypto platforms listed in Cerberus’ comprehensive list of goals – which also includes major financial institutions around the world and social media apps.
The cyber security company notes that it has not identified ads on the dark beb for the updated features of Cerberus, making it believe that the updated version is “still in the test phase, but may be released soon”.
The ThreatFabric report states that the Remote Access Trojan (RAT) “Cerberus” was first identified at the end of June, and the Anubis Trojan was replaced and emerged as an important Malware-as-a-Service product.
The report states that Cerberus was updated in mid-January 2020, with the new version offering the option to steal 2FA tokens from Google Authenticator, as well as PIN codes for screen lock and swipe patterns of the device.
Once installed, Cerberus can download the contents of a device and establish connections that give the malicious actor full remote access through the device. The RAT can then be used to control any app on the device, including bank and cryptocurrency exchange apps.
“The function that allows the theft of screen login credentials (pin code and lock pattern) is made possible by a simple overlay that requires the victim to unlock the device. From the implementation of the RAT we can conclude that this screen theft has been built so that the actors can remotely unlock the device to commit fraud when the victim is not using the device. This shows once again the creativity of criminals to build the right tools to be successful. “
The report also examines two other RATs that became known after Anubis – “Hydra” and “Gustaff”.
Gustaff focuses on Australian and Canadian banks, cryptocurrency portfolios and government websites, while Hydra has recently expanded its reach, focusing primarily on Turkish banks and blockchain portfolios.
Including Cerberus, the three Trojan horses focus on at least 26 cryptocurrency exchanges and custody providers. The goals include various leaders in the crypto sector, including Coinbase, Binance, Xapo, Wirex and Bitpay.
More than 20 of the goals are portfolio suppliers that support leading cryptocurrencies, including Bitcoin (BTC), Ethereum (ETH) and Bitcoin Cash (BCH)
A possible defense against Cerberus is the use of a physical authentication key to prevent remote attacks. For these keys, a hacker must have the actual device with them, thus minimizing the risk of a successful attack.