Cybersecurity experts have uncovered the inner workings of a sophisticated Android banking trojan known as ERMAC 3.0, highlighting significant vulnerabilities in the infrastructure of its operators.
“The latest version 3.0 of ERMAC showcases a major advancement in the malware’s capabilities, enhancing its ability to inject forms and steal data from over 700 banking, shopping, and cryptocurrency apps,” Hunt.io stated in a report.
ERMAC was initially identified by ThreatFabric in September 2021, demonstrating its capacity to execute overlay attacks on numerous banking and cryptocurrency applications worldwide. Attributed to a threat actor named DukeEugene, it is believed to be a progression from Cerberus and BlackRock.
Several other prevalent malware strains, such as Hook (ERMAC 2.0), Pegasus, and Loot, share a common ancestry with ERMAC, with source code elements passed down and modified through successive generations.
Hunt.io reported that they were able to access the complete source code of the malware-as-a-service (MaaS) platform from an open directory on 141.164.62[.]236:443, including its PHP and Laravel backend, React-based frontend, Golang exfiltration server, and Android builder panel.
The functionalities of each component are outlined below:
- Backend C2 server – Enables operators to manage infected devices and access compromised data such as SMS logs, stolen accounts, and device information
- Frontend panel – Allows operators to communicate with connected devices, issue commands, manage overlays, and access stolen data
- Exfiltration server – Utilizes a Golang server for exfiltrating stolen data and managing information related to compromised devices
- ERMAC backdoor – An Android implant written in Kotlin that facilitates control over compromised devices and collection of sensitive data based on commands from the C2 server, while excluding devices in the Commonwealth of Independent States (CIS) nations
- ERMAC builder – A tool for configuring and creating builds for malware campaigns by specifying application name, server URL, and other settings for the Android backdoor
Aside from broadening its range of targeted applications, ERMAC 3.0 introduces new form injection techniques, an updated command-and-control (C2) panel, a fresh Android backdoor, and encrypted communications using AES-CBC.
“The leak exposed critical vulnerabilities such as a hardcoded JWT secret, a static admin bearer token, default root credentials, and open account registration on the admin panel,” the company stated. “By identifying these weaknesses in conjunction with active ERMAC infrastructure, we offer defenders actionable insights to monitor, detect, and disrupt ongoing operations.”
