A new variant of the Cerberus Trojan has been identified by ThreatFabric, a cybersecurity firm which specializes in financial industry threats. Cerberus Trojan steals 2-factor Authentication codes generated by the Google Authenticator app for internet banking and Crypto exchanges, among others.

According to the report, Cerberus Trojan was identified in the end of June last year, which took over from the infamous Anubis Trojan, as the major banking malware. However, this threat was still lacking features that could allow it lower its detection.

In mid-January 2020, the report said the authors of Cerberus released this new variant of the Cerberus Trojan which aims to resolve the aforementioned problem. It has a Remote Access Trojan (RAT) feature to perform fraud from the infected device.

The upgraded version has undergone refactoring of the code base and updates of the C2 communication protocol. More importantly, the RAT feature has enhanced its capabilities to steal device screen-lock credentials such as PIN code or swipe pattern, and 2FA from the Google Authenticator app.

ThreatFabric noted in their report that it hasn’t identified any advertisement on the dark web for this upgraded version yet. Nonetheless, they believe that this new variant is still in the test phase and will soon be released.

Two other notorious RAT threats were also examined in TreatFabric’s report – Gustaff and Hydra. Gustaff targets Australian and Canadian-based banks, as well as crypto wallets and government websites. Hydra on the other hand initially targeted Turkish banks and blockchain wallets but has recently expanded its scope.

These 3 mentioned RATs target at least 26 crypto exchanges and custody providers. Their targets include several crypto giants such as Coinbase, Binance, Bitpay and Wirex, among others.

A potential defense suggested by ThreatFabric against Cerberus is to use a physical authentication key to prevent remote attacks. The hacker needs physical access to the device before getting these keys, which helps to minimize the risk of a successful attack.

Featured image courtesy of Shutterstock