update 18 August 2021

ThreatFabric Identifies Trojan Targeting Crypto Wallet Facilitators

Recently, ThreatFabric identified a new variant of the Cerberus Trojan. Cerberus Trojan steals 2-factor authentication codes produced by the Google Authenticator app for internet banking and crypto exchanges. ThreatFabric is a cybersecurity firm specializing in financial industry threats.

As per the reports, Cerberus Trojan was identified in June 2019, thus taking over from the infamous Anubis Trojan as the significant banking malware. Nevertheless, the threat lacked features that could allow it to lower its detection. In mid-January 2020, reports noted that Cerberus Trojan’s authors made the new variant to resolve the aforementioned problem. It has a Remote Access Trojan (RAT) feature to perform fraud from the infected device.

The upgraded version underwent refactoring of the code base and updates of the c2 communication protocol. Additionally, the RAT feature enhanced its capabilities to steal device screen-lock credentials such as PIN code or swipe pattern, and 2FA from the Google Authenticator app.

More About the RAT Threats

There was no advertisement identified on the dark web for the upgraded version, according to ThreatFabric. However, they believe that the new variant is in the test phase and will launch soon. Two other notorious RAT threats examined in ThreatFabric’s report are Gustaff and Hydra; Gustaff targets Australian and Canadian-based banks and crypto wallets and government websites, while Hydra targets Turkish banks, blockchain wallets, and more.

price change

The RATS mentioned above target over 26 crypto exchanges and custody providers, including several crypto giants such as Coinbase, Binance, Bitpay, and Wirex. A potential defense suggested by ThreatFabric against Cerberus is to use a physical authentication key to prevent remote access to the device before getting these keys, thus helping to minimize the risk of a successful attack.