According to a cybersecurity firm based in Amsterdam, ThreatFabric, there is a new Trojan that now targets top crypto exchanges. The Trojan, known as “Cerberus,” steals 2-factor authentication codes created by Google’s Authentication apps for cryptocurrency exchanges, email accounts, and internet banking.
The security firm gathered that Coinbase is among the list of targets for Cerberus, which also includes social media apps and financial services around the world.
No advert on the dark web for Cerberus updated features
ThreatFabric noted that there is currently no advertisement on the darknet forums for the latest update of the Cerberus Trojan. According to the security firm, the updated features may still be in the test period and may be released to the dark web very soon.
Threatfabric also reported that the Cerberus Trojan was discovered in June last year, which superseded the Anubis Trojan and comes out as a key malware-as-a-Soviet product.
According to the report, the malware was recently updated last month, as the updated version enabled the ability to steal two-factor authentication (2FA) protocols. It also enabled swipe patterns and screen-lock PIN codes of devices.
Trojan gives actors full control over devices
After the Cerberus Trojan is installed, it could download the contents on a device and establish connections to provide complete remote access to the device. Once the actor has control over the device, they use RAT to run any app on the affected device, which includes cryptocurrency exchange apps.
According to ThreatFabric, “The feature enabling theft of device’s screen lock credentials is powered by a simple overlay that will require the victim to unlock the device.”
The security researchers also said the screen-lock credential theft was designed in a way that the actors can carry out fraudulent activities when the victim is not making use of the device. It shows how creative criminals have become to succeed in their hacking activities.
Banking Trojans now target cryptocurrency wallet apps
ThreatFabric also analyzed two other RATs, Gustaf and Hydra, which became popular after Anubis.
Hydra previously targeted blockchain wallets and Turkish banks, but it has since expanded its target range. On the other hand, Gustaff targets government websites, Bitcoin wallets, and Canadian and Australian banks.
With Cerberus now involved, ThreatFabric reported that the targets of these three Trojans have now expanded to 26 crypto custody providers and exchanges, including Bitpay, Wirex, Xapo, Binance, and Coinbase.
Among the 26 targets, 20 of them are wallet providers that provide support for top cryptocurrencies such as Bitcoin, Bitcoin Cash, and Ethereum, ThreatFabric reported.