ThreatFabric, an Amsterdam-based cybersecurity firm specializing in threats to the financial industry, has identified the "Cerberus" Trojan that steals 2-Factor Authentication (2FA) codes generated by the Google Authenticator app for internet banking, email accounts, and cryptocurrency exchanges.

US-based cryptocurrency exchange Coinbase is one of the crypto platforms listed in Cerberus’ exhaustive list of targets — which also includes major financial institutions around the world and social media apps. 

The cybersecurity firm notes that it has not identified any advertisement on the dark beb for Cerberus’ updated features, leading it to believe that the updated version is “still in the test phase but might be released soon.”

Cerberus updated during early 2020

ThreatFabric’s report states that the Remote Access Trojan (RAT) “Cerberus,” was first identified during the end of June, superseding the Anubis Trojan and emerging as a major Malware-as-a-Service product.

The report states that Cerberus was updated in mid-January 2020, with the new version introducing the capability to steal 2FA tokens from Google Authenticator, as well as device screen-lock PIN codes and swipe patterns.

Once installed, Cerberus is able to download a device’s contents, and establish connections providing the malicious actor with full remote access over the device. The RAT can then be used to operate any app on the device, including bank and cryptocurrency exchange apps.

“The feature enabling theft of device’s screen lock credentials (PIN and lock pattern) is powered by a simple overlay that will require the victim to unlock the device. From the implementation of the RAT we can conclude that this screen-lock credential theft was built in order for the actors to be able to remotely unlock the device in order to perform fraud when the victim is not using the device. This once more shows the creativity of criminals to build the right tools to be successful.”

Banking Trojans increasingly target crypto wallet apps

The report also examines two other RATs that rose to prominence after Anubis — “Hydra” and “Gustaff.”

Gustaff targets Australian and Canadian banks, cryptocurrency wallets, and government websites, while Hydra has recently expanded in scope after mostly targeting Turkish banks and blockchain wallets.

Including Cerberus, the three Trojans target at least 26 cryptocurrency exchanges and custody providers. The targets include several leaders in the crypto sector, including Coinbase, Binance, Xapo, Wirex, and Bitpay. 

More than 20 of the targets are wallets providers offering support for leading cryptocurrencies including Bitcoin (BTC), Ethereum (ETH), and Bitcoin Cash (BCH)

A potential defense against Cerberus is to use a physical authentication key to prevent remote attacks. These keys require a hacker to have the actual device in their presence, which helps minimize the risk of a successful attack.