Cybersecurity researchers have provided insights about the inner workings of a newly discovered Android banking trojan known as ERMAC 3.0. This version significantly enhances the malware’s capabilities by improving form injection and expanding its data theft functionality to target over 700 applications related to banking, shopping, and cryptocurrency, as reported by Hunt.io.
Originally identified in September 2021 by ThreatFabric, ERMAC was acknowledged for allowing overlay attacks on a multitude of banking and crypto apps globally. It was connected to a threat actor called DukeEugene and is considered an evolution of other malware families like Cerberus and BlackRock.
Hunt.io obtained the complete source code of this malware-as-a-service solution, which includes a comprehensive infrastructure with a PHP and Laravel backend, a React-based frontend, and a Golang server for data exfiltration. The various components of the malware infrastructure include:
- A backend command-and-control (C2) server to manage compromised devices and access sensitive data such as SMS logs and account information.
- A frontend panel enabling operators to issue commands and manage the data they have stolen.
- An exfiltration server dedicated to transferring stolen data.
- An Android backdoor, written in Kotlin, that controls the infected device and gathers sensitive information as directed by commands from the C2 server. Notably, this backdoor avoids infecting devices in the Commonwealth of Independent States (CIS).
- An ERMAC builder tool for users to customize and create builds for their malicious campaigns.
ERMAC 3.0 introduces a broader array of application targets and new injection techniques, along with enhanced commands that leverage AES-CBC encrypted communications.
The source code leak has surfaced vulnerabilities in the malware’s infrastructure, including hardcoded JWT secrets, static admin tokens, factory default credentials, and unrestricted account setups on the admin panel. Identifying these weaknesses allows cybersecurity professionals to devise strategies aimed at tracking, detecting, and counteracting ongoing operations associated with ERMAC.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.