# Turkey targeted by Cerberus and Anubis Android banking Trojan campaigns

**[bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html](https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html)**

BushidoToken

I recently set out to become more acquainted with Maltego, a useful program for open-source
intelligence (OSINT) and forensics, developed by Paterva. I also noticed there is an ongoing
campaign against Turkey using Android banking Trojans such as Anubis and Cerberus. Both
are Malware-as-a-Service offerings that supply a builder and mobile remote access Trojan
(MRAT) to steal credentials from Android users.

Security researchers such as @MalwareHunterTeam, @ReBensk, @pr3wtd, and
@mertcangokgoz, and others have all recently shared new samples of Cerberus and Anubis
targeting users in Turkey with mobile data “gifts” that are offered from their mobile carriers
due to COVID-19. Various websites are registered hosting links to fake apps, which were
downloaded from the threat actor’s GitLab or BitBucket repositories. These apps are Android
packages (.APK) that can be distributed via SMS, instant messaging app, on Twitter, via
email, and other social engineering techniques.

With the Tweets of these security researchers I compiled the indicators of compromise (IOCs)
such as file hashes, domains, IP addresses, and any other useful artefacts. I then fired up
Maltego and began compiling the IOCs and trying to figure out how it was all connected.

**Multiple Anubis campaigns:**


-----

**Cerberus GitLab campaign:**


-----

**Cerberus BitBucket campaign:**


-----

**Phishing lures:**


-----

-----

**Number of people targeted in these campaigns:**


-----

Additional findings:
Four of the command and control (C&C) servers during the Cerberus BitBucket campaign
were registered by the same threat actor. All used the same throwaway Gmail address to
register over a dozen malicious domains with the ".top" gTLD.

As previously mentioned the attackers are exploiting the lockdown due to the coronavirus with
these key phrases in Turkish:

- “Hediye” = Gift

- “Evde internetim var” = Have internet at home

- “Evde kal” = Stay at home

- “Indir 20GB kazan” = Download win 20GB

(Disclaimer - I only used Google translate)

**Indicators of Compromise:**

Filenames:

EvdeHayatVar_build_obf.apk Covid_19.apk EvdeKal_build_obf.apk

evdekal_obf.apk Covid19MobileInstall_obf.apk Vodafone-5G.apk


-----

evdekal-20gb.apk Covid-19Mobile.apk GooglePlay.apk

20gb-evdekal.apk 20GBHediye.apk 20gb_hediye_internet.apk

30GbKazan.apk 20gbhediyesi.apk HayatEveSigar.apk

hediye20gb.apk 20gb-evde-kal.apk SenEvdesinDiye_build_obf.apk

20gb_hediye_internet.apk hediye20gb.apk hayatevesigar.apk

evdekaliyorum.apk basvuru_devlet_destegi.apk evde-kal.apk

Users:
https://bitbucket[.]org/nilsudemir1881
https://bitbucket[.]org/kaankaratas12881

https://bitbucket[.]org/emreadamol34
https://gitlab[.]com/akif65336

https://gitlab[.]com/ordulkemal2

IOCs such as Hashes, Domains, URLs, and IPv4 addresses can be found on my OTX feed
[here.](https://otx.alienvault.com/pulse/5eb5dc29f93f6c29a4d710fa)
Sources:
[https://twitter.com/AdemOzcan68/status/1254507257427001345?s=20](https://twitter.com/AdemOzcan68/status/1254507257427001345?s=20)
[https://twitter.com/mertcangokgoz/status/1253608999024558081?s=20](https://twitter.com/mertcangokgoz/status/1253608999024558081?s=20%C2%A0)
[https://twitter.com/ReBensk/status/1253303545681625091](https://twitter.com/ReBensk/status/1253303545681625091)
[https://twitter.com/malwrhunterteam/status/1253266830237540352](https://twitter.com/malwrhunterteam/status/1253266830237540352)
[https://twitter.com/pr3wtd/status/1257022398202810370](https://twitter.com/pr3wtd/status/1257022398202810370)
[https://twitter.com/malwrhunterteam/status/1256649187581722635](https://twitter.com/malwrhunterteam/status/1256649187581722635)
[https://twitter.com/SmashTheKernel/status/1258641094369251328](https://twitter.com/SmashTheKernel/status/1258641094369251328)

[https://koodous.com/apks?search=HayatEveSigar](https://koodous.com/apks?search=HayatEveSigar)

**Continued:**

Security researchers that focus on Android threats have shared additional samples this week
as part of this ongoing campaign. Some samples are directly connected, others are part of a
new wave. BitBucket remains to be a preferred choice for hosting the APK files of the Android
Trojans and many of the malicious domains are hosted with the GoDaddy registrar services.

Anubis campaigns:


-----

Continued:

Phishing lures used this week:


-----

-----

More IOCs such as Hashes, Domains, URLs, and IPv4 addresses can be found on my OTX
feed [here.](https://otx.alienvault.com/pulse/5ebeb1b1cc5ab283477bf6c8/)

**Analysis:**

Turkish users continue to be targeted by the Anubis Android banking Trojan campaign, using
coronavirus phishing and free mobile data "gifts" due to the lockdown. If the previous
download numbers are to be believed, it is more than likely that around 4,000 people in
Turkey may have unknowingly downloaded the Trojan onto their devices.

This is a serious cybercriminal campagin that is exploiting the COVID-19 pandemic. What
makes these attacks all the more difficult to prevent is that Anubis is a Malware-as-a-Service
platform. This means that low-skilled threat actors can purchase access and initiate attacks
immediately. The only barrier to entry is usually a Bitcoin wallet to buy with.

This campaign is likely to continue exploiting the coronavirus for the forseeable future. It is a
golden opportunity for threat actors to leverage in their phishing lures due to a heightened
level of paranoia and uncertainty amongst the general population. As people seek for
answers and the latest news on the coronavirus they fall into these attacker's traps.


-----

Android users should exercise caution over such threats and make sure to never download
an application from a website or third-party appstore. Business devices should stick to vetted
apps from the Google Play Store.

Sources:
[https://twitter.com/malwrhunterteam/status/1260817120687984640](https://twitter.com/malwrhunterteam/status/1260817120687984640)
[https://twitter.com/malwrhunterteam/status/1260606944882110464](https://twitter.com/malwrhunterteam/status/1260606944882110464)
[https://twitter.com/ReBensk/status/1260502947680698368](https://twitter.com/ReBensk/status/1260502947680698368)
[https://twitter.com/ReBensk/status/1260791061301137409](https://twitter.com/ReBensk/status/1260791061301137409)
[https://twitter.com/ReBensk/status/1260056152965918720](https://twitter.com/ReBensk/status/1260056152965918720)
[https://twitter.com/ReBensk/status/1260085218364452864](https://twitter.com/ReBensk/status/1260085218364452864)
[https://twitter.com/ReBensk/status/1260175293009891328](https://twitter.com/ReBensk/status/1260175293009891328)
[https://twitter.com/ReBensk/status/1259771887598612487](https://twitter.com/ReBensk/status/1259771887598612487)
[https://twitter.com/SmashTheKernel/status/1259801643748667392](https://twitter.com/SmashTheKernel/status/1259801643748667392)
[https://twitter.com/ni_fi_70/status/1259792444444606465](https://twitter.com/ni_fi_70/status/1259792444444606465)

## Lessons from the Conti Leaks

 How Do You Run A Cybercrime Gang?

 Ransomware Decryption Intelligence


-----