Cybersecurity researchers detail the internal mechanisms of an Android Banking Trojan called ERMAC 3.0, revealing serious shortcomings in the operator’s infrastructure.
“The newly discovered version 3.0 reveals a major evolution of malware and expands form injection and data theft capabilities to target over 700 banks, shopping and cryptocurrency applications,” Hunt.io said in the report.
ERMAC was first documented in September 2021 by ThreatFabric, detailing its ability to implement overlay attacks against hundreds of banks and cryptocurrency apps around the world. Due to a threat actor named Duquisen, it is rated as an evolution of Cerberus and Black Rock.
Other commonly observed malware families, including Hook (ERMAC 2.0), Pegasus, and Loot, own shared strains. Source code components are ancestors in the form of modified ERMAC, passed down through generations.
Hunt.io said it was able to obtain the full source code related to providing malware as a service (MAAS) from the open directory at 141.164.62[.]236:443, up to its PHP and Laravel backend, reaction-based frontend, Golang Exfiltration Server, and Android Builder panels.
The functions for each component are listed below –
Backend C2 Server – Provides operators with the ability to manage victims’ devices and access compromised data such as SMS logs, stolen accounts, and device data front-end panels. Operators can interact with connected devices by issuing commands, managing overlays, and accessing stolen data Exfltry servers. Implants written in Kotlin provide the ability to control compromised devices, collect sensitive data based on incoming commands from C2 servers, and prevent infection from touching devices in independent states (CIS) countries (CIS) countries – ensuring that customers have tools to configure and create builds for malware campaigns and malware backs
In addition to the extended set of APP targets, ERMAC 3.0 adds new form injection methods, an overhauled command and control (C2) panel, new Android backdoors, and AES-CBC encrypted communications.
“The leak revealed significant weaknesses, including hard-coded JWT secrets, static administrator bearer tokens, default root credentials, and open account registrations for the admin panel,” the company said. “We provide defenders with concrete ways to track, detect and disrupt active operations by correlating these flaws with live ERMAC infrastructure.”
Source link
