Cybersecurity researchers detail the internal mechanisms of an Android Banking Trojan called ERMAC 3.0, revealing serious shortcomings in the operator’s infrastructure.
“The newly discovered version 3.0 reveals a major evolution of malware and expands form injection and data theft capabilities to target over 700 banks, shopping and cryptocurrency applications,” Hunt.io said in the report.
ERMAC was first documented in September 2021 by ThreatFabric, detailing its ability to implement overlay attacks against hundreds of banks and cryptocurrency apps around the world. Due to a threat actor named Duquisen, it is rated as an evolution of Cerberus and Black Rock.
Other commonly observed malware families, including Hook (ERMAC 2.0), Pegasus, and Loot, own shared strains. Source code components are ancestors in the form of modified ERMAC, passed down through generations.
Hunt.io said he was able to get the full source code related to the provision of malware (MAAS) provided from the open directory at 141.164.62 (.) 236:443.
The functions for each component are listed below –
- Backend C2 Server – Provides operators with the ability to manage victim devices such as SMS logs, stolen accounts, device data and access compromised data
- Frontend Panel – allows operators to interact with connected devices by issuing commands, managing overlays and accessing stolen data
- Exfiltration Server – Golang server used to remove stolen data and manage information related to compromised devices
- ERMAC Backdoor – Android implants written in Kotlin provide the ability to control compromised devices based on incoming commands from C2 servers, collect sensitive data, and prevent infection from touching devices located in independent states (CIS) countries.
- ERMAC Builder – A tool that helps customers configure and create builds for malware campaigns by providing Android backdoor application names, server URLs, and other settings
In addition to the extended set of APP targets, ERMAC 3.0 adds new form injection methods, an overhauled command and control (C2) panel, new Android backdoors, and AES-CBC encrypted communications.
“The leak revealed significant weaknesses, including hard-coded JWT secrets, static administrator bearer tokens, default root credentials, and open account registrations for the admin panel,” the company said. “We provide defenders with concrete ways to track, detect and disrupt active operations by correlating these flaws with live ERMAC infrastructure.”
