Cybersecurity researchers have detailed the inner workings of an Android banking trojan called ERMAC 3.0, uncovering serious shortcomings in the operators’ infrastructure.
“The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications,” Hunt.io said in a report.
ERMAC was first documented by ThreatFabric in September 2021, detailing its ability to conduct overlay attacks against hundreds of banking and cryptocurrency apps across the world. Attributed to a threat actor named DukeEugene, it’s assessed to be an evolution of Cerberus and BlackRock.
Other commonly observed malware families – including Hook (ERMAC 2.0), Pegasus, and Loot – possess a shared lineage: An ancestor in the form of ERMAC from which source code components have been passed down and modified through generations.
Hunt.io said it managed to obtain the complete source code associated with the malware-as-a-service (MaaS) offering from an open directory on 141.164.62[.]236:443, right down to its PHP and Laravel backend, React-based frontend, Golang exfiltration server, and Android builder panel.
The functions of each of the components are listed below –
- Backend C2 server – Provides operators the ability to manage victim devices and access compromised data, such as SMS logs, stolen accounts, and device data
- Frontend panel – Allows operators to interact with connected devices by issuing commands, managing overlays, and accessing stolen data
- Exfiltration server – A Golang server used for exfiltrating stolen data and managing information related to compromised devices
- ERMAC backdoor – An Android implant written in Kotlin that offers the ability to control the compromised device and collect sensitive data based on incoming commands from the C2 server, while ensuring that the infections don’t touch devices located in the Commonwealth of Independent States (CIS) nations
- ERMAC builder – A tool to help customers configure and create builds for their malware campaigns by providing the application name, server URL, and other settings for the Android backdoor
Besides an expanded set of app targets, ERMAC 3.0 adds new form injection methods, an overhauled command-and-control (C2) panel, a new Android backdoor, and AES-CBC encrypted communications.
“The leak revealed critical weaknesses, such as a hardcoded JWT secret and a static admin bearer token, default root credentials, and open account registration on the admin panel,” the company said. “By correlating these flaws with live ERMAC infrastructure, we provide defenders with concrete ways to track, detect, and disrupt active operations.”
