Amsterdam-based cybersecurity firm ThreatFabric has detected Cerberus Trojan that steals 2FA codes generated by Google Authenticator app for online banking, email addresses, and crypto exchanges. As per the report, crypto trading platform, Coinbase, is included in the list of institutions that might be targetted by the Cerberus Trojan.
The report noted that it had not seen any ads for updates of Cerberus’ features. The firm believes that the updated version is currently in the “test phase,” but it might be released soon.
Updated Cerberus Trojan stealing 2FA codes
The report noted that Cerberus was first discovered in June 2019. At that time, the Trojan was emerging as a replacement to Anubis Trojan. The report revealed that the Cerberus Trojan was updated in January 2020. This new version had the capability to steal 2FA codes from Google Authenticator as well as screen-lock PIN codes and swipe patterns.
Once the Trojan invades a device, it is able to download the device’s contents to the attacker and connect the device with the malicious actor with full remote access over the device. Cerberus can then be used to access any application on the device, including financial applications such as crypto exchange apps.
The report also discussed two other Trojans that emerged after Anubis: Hydra and Gustaff.
Gustaff usually targets banks in Australia and Canada, as well as crypto wallets and government websites. Meanwhile, Hydra has targetted Turkish banks and blockchain wallets.
Including Cerberus, the three Trojans target over 25 crypto exchanges and custody services that include popular platforms such as Coinbase, Binance, Wirex, and Bitpay.
A potential defense is to use a physical authentication key to prevent access.
Featured image by pixabay.
