Cyber security researchers have expanded the internal functioning of an Android banking trojan called ERMAC 3.0, highlighting serious shortcomings in the infrastructure of operators.
Hunt said in a report, “The newly opened version 3.0 reveals a significant development of malware, extending your form injection and data theft capabilities to target more than 700 banking, purchases and cryptocurrency applications.”
ERMAC was first documented by Wallandfabric in September 2021, describing its ability to conduct overlay attacks against hundreds of banking and cryptocurrency apps worldwide. Responsible for a danger actor named Duchugin, it has been evaluated for the development of Cerberus and Blackrock.
Other commonly seen malware families – hooks (ERMAC 2.0), Pegasus, and Loot – are officers of a common dynasty: an ancestor in the form of ERMAC in which the source code components are passed and modified through generations.
Hunt.io said[.]236: 443, your PHP and Laravel Backend, React-based Frontnd, Golang Exfiltration Server, and just below the Android Builder panel.
The functions of each component are listed below –
- Backnd C2 server – provides operators the ability to manage afflicted equipment and access compromised data, such as SMS logs, stolen accounts and device data
- Front & Panel – allows operators to issue commands, manage overlays and interact with connected devices by reaching stolen data
- EXFILTRATION Server – A Golang Server is used to exfiltrate stolen data and manage information related to compromised equipment
- ERMAC Backdoor – An Android implant written in Kotlin provides the ability to control the compromised device and collect sensitive data based on the command coming from the C2 server, ensuring that infections do not touch the devices located in the Commonwealth of independent states (CIS) nations.
- ERMAC Builder – A tool makes a tool application name, server URL and other settings for Android Backdor to help customers configure and construct for their malware campaigns.
In addition to an extended set of APP targets, ERMAC 3.0 connects new form injection methods, an overhold command-control (C2) panel, a new android backdore and AES-CBC encrypted communications.
The company said, “The leak revealed significant weaknesses, such as hardcoded JWT secret and a static admin bear token, default root credentials, and opening the account registration on the admin panel,” the company said. “By correlating these defects with live ERMAC infrastructure, we provide guards in a solid manner to track, detect and interrupt active operations.”
