Cerberus, Hydra and Gustaff: new trojans steal data to access cryptocurrency exchanges and wallets

ThreatFabric discovered three new trojans: Cerberus, Hydra and Gustaff. Their main goal is to steal data for access to cryptocurrency exchanges, cryptocurrency wallets and banking applications.

Amsterdam-based cyber security company ThreatFabric discovered the Cerberus Trojan, which steals two-factor authentication codes generated by the Google Authenticator application for Internet banking, email accounts and cryptocurrency exchanges.

According to ThreatFabric, the Coinbase cryptocurrency exchange is one of the goals of Cerberus, along with large financial institutions around the world and social networking applications. The company has not yet found an advertisement for updated Cerberus features on the darknet. This means that the updated version “is still in the testing phase, but may be released soon.”

A ThreatFabric report says that the Cerberus remote access Trojan was first discovered at the end of June last year, replacing the Anubis Trojan and becoming one of the most popular Malware-as-a-Service products.

ThreatFabric notes that Cerberus was updated in mid-January 2020, and the new version has the ability to steal two-factor authentication tokens from Google Authenticator, as well as device screen lock PINs. After installation, Cerberus can download the contents of the device and establish connections, giving the attacker full remote access to the device. Then the trojan can be used to work with any application, including banking, and to access cryptocurrency exchanges.

“The feature that steals the device’s screen lock credentials (PIN and lock pattern) is provided with a simple overlay that will require the victim to unlock the device. From the implementation of the trojan, we can conclude that this theft of the screen lock credentials was created so that attackers could remotely unlock the device for their own purposes when the victim does not use it. This once again confirms the rich imagination of criminals who create sophisticated tools to achieve their goals. “

The report examines two more remote access trojans that appeared after Anubis – Hydra and Gustaff. Hydra developers have recently expanded the scope of the program, making Turkish banks and blockchain wallets their main goal. Gustaff targets Australian and Canadian banks, cryptocurrency wallets and government websites.

Three trojans, including Cerberus, target at least 26 cryptocurrency exchanges and cryptocurrency service providers, including Coinbase, Binance, Xapo, Wirex and Bitpay. A potential defense against Cerberus is the use of a physical authentication key to prevent remote attacks. These keys require physical access to the device, which helps minimize the risk of a successful attack.

Hackers are increasingly targeting cryptocurrency users. According to CipherTrace, last year losses from hacker attacks decreased, but the total losses from crimes in the crypto assets industry rose to $ 4.52 billion from $ 1.74 billion in 2018.