Alien RAT with 2FA-Stealing Technique

A new variant of Cerberus malware, which is available for rent on underground forums since January, has been found invading Android devices and targeting more than 200 applications.

What has happened?

According to a ThreatFabric research, the newly identified banking trojan called Alien shares several common capabilities with the Cerberus banking malware.
  • Researchers reported the Alien RAT targeting a list of at least 226 mobile applications, including banking apps such as BBVA Spain, Bank of America Mobile Banking, as well as a slew of collaboration and social networking apps such as Twitter, Snapchat, and Instagram.
  • It comes equipped with an advanced ability to bypass two-factor authentication (2FA) security measures to steal the victim’s credentials. The malware also abuses the TeamViewer application to gain full remote control over the victim’s devices.
  • It has been targeting multiple institutions worldwide including Australia, France, Germany, Italy, Poland, Spain, Turkey, the U.K, and the U.S.

The Cerberus link

Researchers speculate that Alien RAT is a fork of the Cerberus malware that has undergone a steady demise in use over the past year, and was up for sale in August. Besides having several common capabilities, there are a few notable differences.
  • Alien RAT has been implemented separately from the main command handler using different command-and-control (C2) endpoints.
  • Moreover, Alien’s 2FA-stealing technique is an additional feature than Cerberus’s capabilities.

More malware adding 2FA-bypass technique

  • Several attackers and malware operators have upgraded their malware and attack vectors to target the 2FA-bypass technique and carry out more successful attacks.
  • Recently, the Rampant Kitten group had developed a custom Android malware capable of stealing and intercepting 2FA codes sent via SMS.
  • Last month, the Israel-based gym app management platform Fizikal was found vulnerable to a few exploits, which could allow attackers to carry out a 2FA-bypass attack.

The bottom line

Banking trojans have been evolving with new and improved features to increase the success rate of fraud recently. Financial institutions are recommended to assess their current and future threat exposure and implement relevant detection and control mechanisms at the earliest.