The threat player has succeeded in compromising more than 75% of the company’s devices by spreading its malware through the Mobile Device Management (MDM) server, reports Check Point.
As part of the attack, cybercriminals distributed a new version of Cerberus android malware designed to collect and filter large amounts of sensitive data on a remote command and control (C&C) server. The victim was described as a multinational conglomerate, and investigators believe the attack was targeted.
The attack, which first took place on the 18th. February was discovered, in which two malicious applications were installed on company equipment in a short period of time. This was made possible because the attackers hacked the target’s MDM server and used the remote application’s installation capabilities to install malicious code.
The Cerberus Bank Trojan used in this attack is a known malicious code (Meuse) which has the ability to deliver a Mobile Remote Access Trojan (MRAT). It can register keystrokes on your device and steal the data from Google authenticator and received SMS messages (2FA is included). Attackers can control the device remotely via TeamViewer.
After installation, the malware displays a window that is hidden as an update of the access service. Once the user accepts the update, the threat can use the access service to bypass user interaction if necessary.
The receiver is then logged for various events, so that the application can start running a malicious stream as soon as it is triggered. After the first contact with the C&C server, the malware receives a list of commands to be executed.
The main threat module can steal Google Authenticator credentials, Gmail passwords and phone lock templates, send a list of installed files and applications, and download files on demand. It may also happen that attempts are made to uninstall TeamViewer, which allows attackers to remotely manage it.
To continue, the malware uses administrator rights and can prevent removal attempts by automatically closing the application’s data page. It also disables Google Play Protect to prevent detection and deletion.
The second module (payload), which is mainly used to steal data and accounts, can collect all contacts, SMS and installed applications and send data to C&C. In addition, the module can send SMS, make calls, send USSD requests, display notifications, install or uninstall applications, and open pop-up actions with URLs.
According to Check Point, the malicious code performed its actions to steal data from all unprotected devices that were compromised, which means that all the references used were stolen. If one of these unprotected devices was used by an administrator to access assets with its credentials, the attackers would get those credentials.
Because of the level of compromising capabilities and malware, the victim organization decided to restart all devices.
This campaign shows how important it is to understand the difference between the management and security of mobile devices. While SMM provides an easy way to manage these devices, security should not be ignored. Mobile devices are an integral part of our work, our communication and our company. They need to be protected like any other checkpoint, because they are an attractive target, the checkpoint closes.
That’s what it looks like: Syrian pirates target mobile phone users with COVID 19 bait.
That’s what it looks like: Security, data protection with mobile government applications COVID-19
That’s what it looks like: Fraud in mobile payments is on the rise
Ionat Argir is the international correspondent for Security Week.
Previous chronicles of Ionat Argir: