Bank Fraud: Hackers Using Both Gozi, Cerberus MalwareAttackers Target Online Banking Users in Italy, IBM Says
An ongoing hacking campaign is targeting Italian online banking users by infecting their devices with the Gozi banking Trojan and then prompting them to download Cerberus malware to make money transfers, according to IBM Security Intelligence.
The campaign, which began in September 2020, targets the accounts of users of business banking services that have balances of more than 3,000 euros ($3,583).
The Cerberus malware enables the attackers to receive two-factor authentication codes sent by banks to users attempting to make transactions. "Cerberus also possesses other features and can enable the attacker to obtain the lock-screen code and remotely control the device," the IBM report adds.
The report did not disclose details on how many victims have been affected or how much has been stolen.
The campaign begins with the attackers sending phishing emails with malicious files attached that typically purport to carry invoices, delivery notices or other business correspondence. When victims download the files, they are infected with Gozi malware, IBM says.
When victims attempt to access their online services, Gozi performs web injections to display a hoax message stating that banking services cannot be performed until the victim downloads a "security app," which is actually a malicious application, the report says. The victims are then asked to scan a QR code shown in the message to download the app.
"If users scan the QR code, they will open a web page on their smartphone and be sent to a fake Google Play page featuring a corresponding banking app logo of the banking brand the victim originally attempted to access," IBM notes. "In cases of users who do not successfully scan the QR code, they are asked to provide their telephone number and subsequently receive an SMS message with a download link to fetch the malicious application, which warns users about a potential service interruption if they fail to obtain the app."
While this process is underway, Gozi matches the phone number inserted by the victim with multiple bot IDs hosted by the threat actors on several domains. Details from each compromised device are matched with their bank’s names, and the malware then captures their banking credentials.
The victims are then sent the link to the Cerberus malware. When this malware is downloaded, it tracks information, such as the name of the bank the victim was attempting to access when the infection process was initiated. The malware then helps the hackers to bypass the SMS-code verification by stealing the messages, IBM says.
The researchers say the gang behind Gozi apparently implemented Cerberus after the operators of that malware released its source code in 2020 (see: Attacks Using Cerberus Banking Trojan Surge).
"Banking Trojan operators are constantly shifting tactics, but the strategy remains the same - they have to gain access to victims' smartphones if they hope to get through security controls applied to banking and other services," the report notes. "Using Cerberus is also expected since the code was leaked and gave the option to any malware operator to make use of it against unsuspecting victims."
In another case in which hackers co-opted malware, Russia adopted the stolen infrastructure of the Iranian APT group OilRig in 2019 to exfiltrate data from U.K. and U.S. intelligence agencies. Security firm BlackBerry Cylance also found that unidentified nation-state actors co-opted Vega ransomware for espionage activities.
Gozi and Cerberus
Gozi, which is also known as Dreambot and Ursnif, is designed to steal passwords and credentials, with a particular focus on the banking and financial sectors. The malware has been around for about 10 years.
Last year, security firm Cisco Talos uncovered a Gozi campaign that used hosting platforms, such as Google Drive, to deliver malware that stole banking credentials. In 2019, a report by security firm Fortinet revealed that a new Ursnif Trojan variant was targeting vulnerable systems in an attempt to steal banking passwords and other credentials.
Cerberus is an Android mobile banking Trojan that has been active since 2019. Last year, Kaspersky researchers uncovered a spyware campaign that targeted Android users through Cerberus-laced apps in the Google Play store. In July 2019, Avast uncovered a fake currency converter app in the official Google Play store that hid the Trojan.