Turkey targeted by Cerberus and Anubis Android banking Trojan
campaigns
By BushidoToken
Published: 2020-05-09 · Archived: 2026-04-05 23:10:35 UTC
I recently set out to become more acquainted with Maltego, a useful program for open-source intelligence
(OSINT) and forensics, developed by Paterva. I also noticed there is an ongoing campaign against Turkey using
Android banking Trojans such as Anubis and Cerberus. Both are Malware-as-a-Service offerings that supply a
builder and mobile remote access Trojan (MRAT) to steal credentials from Android users.
Security researchers such as @MalwareHunterTeam, @ReBensk, @pr3wtd, and @mertcangokgoz, and others
have all recently shared new samples of Cerberus and Anubis targeting users in Turkey with mobile data “gifts”
that are offered from their mobile carriers due to COVID-19. Various websites are registered hosting links to fake
apps, which were downloaded from the threat actor’s GitLab or BitBucket repositories. These apps are Android
packages (.APK) that can be distributed via SMS, instant messaging app, on Twitter, via email, and other social
engineering techniques.
With the Tweets of these security researchers I compiled the indicators of compromise (IOCs) such as file hashes,
domains, IP addresses, and any other useful artefacts. I then fired up Maltego and began compiling the IOCs and
trying to figure out how it was all connected.
Multiple Anubis campaigns:
https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html
Page 1 of 8

Cerberus GitLab campaign: 
https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html
Page 2 of 8

Cerberus BitBucket campaign: 
https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html
Page 3 of 8

Phishing lures: 
https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html
Page 4 of 8

https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html
Page 5 of 8

Number of people targeted in these campaigns: 
https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html
Page 6 of 8

Additional findings: 
Four of the command and control (C&C) servers during the Cerberus BitBucket campaign were registered by the
same threat actor. All used the same throwaway Gmail address to register over a dozen malicious domains with
the ".top" gTLD. 
As previously mentioned the attackers are exploiting the lockdown due to the coronavirus with these key phrases
in Turkish:
- “Hediye” = Gift
- “Evde internetim var” = Have internet at home
- “Evde kal” = Stay at home
- “Indir 20GB kazan” = Download win 20GB
(Disclaimer - I only used Google translate)
Indicators of Compromise: 
Filenames:
EvdeHayatVar_build_obf.apk Covid_19.apk EvdeKal_build_obf.apk
https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html
Page 7 of 8

evdekal_obf.apk Covid19MobileInstall_obf.apk Vodafone-5G.apk
evdekal-20gb.apk Covid-19Mobile.apk GooglePlay.apk
20gb-evdekal.apk 20GBHediye.apk 20gb_hediye_internet.apk
30GbKazan.apk 20gbhediyesi.apk HayatEveSigar.apk
hediye20gb.apk 20gb-evde-kal.apk SenEvdesinDiye_build_obf.apk
20gb_hediye_internet.apk hediye20gb.apk hayatevesigar.apk
evdekaliyorum.apk basvuru_devlet_destegi.apk evde-kal.apk
Users: 
https://bitbucket[.]org/nilsudemir1881
https://bitbucket[.]org/kaankaratas12881
https://bitbucket[.]org/emreadamol34
https://gitlab[.]com/akif65336
https://gitlab[.]com/ordulkemal2
IOCs such as Hashes, Domains, URLs, and IPv4 addresses can be found on my OTX feed here.
Sources: 
Source: https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html
https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html
Page 8 of 8