A new mobile banking Trojan called ERMAC has been found recently, and this malware resembles to have been manufactured by cybercriminals at BlackRock, which is based on the roots of the infamous Cerberus.
ERMAC is a code successor to a well-known Cerberus malware, and this malware uses almost indistinguishable data structures when communicating with the C2, as well as uses the same string data.
Despite having a diverse name and using different obfuscation methods and new string encryption, the threat actors have symbolized it as “ERMAC,” it’s another Cerberus-based Trojan.
Moreover, the threat actors are actively abusing this malware through several active campaigns in which they are targeting more than 378 popular baking and wallet apps with overlays.
Circumstances
The cybersecurity experts at ThreatFabric have noted that a forum member knows as Ermac, normally invited random person those who are interested regarding this topic to transfer a PM to make a dea+l on August 17.
However, the most important point is that the topic originator claim that he obtained the contact 4 days earlier. And on the same day, there is another forum member, “DukeEugene,” and soon he has posted a message on his account that says:-
“Android botnet ERMAC. I will hire a new android botnet with broad functionality to a restricted circle of people (10 people). 3k$ per month. Details in PM.
The experts described DukeEugene as a known threat actor who is behind the BlackRock banking trojan which was initially found in 2020.
You can’t escape Cerberus”
After encountering ERMAC samples, the security analysts thought it to be just another alternative of Cerberus as the code that got leaked several times, and at the same time, many threat actors tried to develop their own malware based on its references.
Commands list
Here’s the list of commands used:-
- push: Shows a push notification (clicking on the notification will result in launching specified app)
- startAuthenticator2: Launches the Google Authenticator application
- startAdmin: Triggers request for admin privileges
- startApp: Starts the specified application
- getInstallApps: Gets the list of applications installed on the device
- getContacts: Gets the contact names and phone numbers from the address book of the infected device
- deleteApplication: Triggers the removal of the specified application
- forwardCall: Enables call forwarding to the specified number
- sendSms: Sends a text message with specified text from the infected device to the specified phone number
- SendSMSALL: Sends text messages with specified text from the infected device to all contacts of the infected device
- startInject: Triggers the overlay attack against the specified application
- startUssd: Executes the specified USSD code
- openUrl: Opens the specified URL in the WebView
- getSMS: Gets all text messages from the infected device
- killMe: Triggers the kill switch for the bot
- updateModule: Updates the payload module
- updateInjectAndListApps: Triggers update of the target list
- clearCash/clearCashe: Triggers opening specified application details
- getAccounts/logAccounts: Triggers stealing a list of the accounts on the device
The campaigns
Here they have recognized several campaigns with the involvement of ERMAC, while the initial major campaign was begun in late August where ERMAC was disguised as Google Chrome.
Not only this, but they have also noted that ERMAC was disguising themselves as antivirus, banking, and media player apps, and many more.
But, the whole formation of the ERMAC story determines that how malware source code expenditures can lead not only to the slow disappearance of the malware family but also bring new threats actors to the threat landscape.
Moreover, ERMAC comes up with a couple of new features, yet it lacks some compelling features like RAT, and it is nevertheless a threat to mobile banking users and financial institutions all over the world.-
You can follow us on Linkedin, Twitter, Facebook for daily Cyber security and hacking news updates.