Article Details

ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure. Cybersecurity researchers have detailed the inner workings of an Android banking trojan called ERMAC 3.0, uncovering serious shortcomings in the operators' infrastructure. "The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications," Hunt.io said in a report. ERMAC was first documented by ThreatFabric in September 2021, detailing its ability to conduct overlay attacks against hundreds of banking and cryptocurrency apps across the world. Attributed to a threat actor named DukeEugene, it's assessed to be an evolution of Cerberus and BlackRock. Other commonly observed malware families – including Hook (ERMAC 2.0), Pegasus, and Loot – possess a shared lineage: An ancestor in the form of ERMAC from which source code components have been passed down and modified through generations. Hunt.io said it managed to obtain the complete source code associated with the malware-as-a-service (MaaS) offering from an open directory on 141.164.62[.]236:443, right down to its PHP and Laravel backend, React-based frontend, Golang exfiltration server, and Android builder panel. The functions of each of the components are listed below - Besides an expanded set of app targets, ERMAC 3.0 adds new form injection methods, an overhauled command-and-control (C2) panel, a new Android backdoor, and AES-CBC encrypted communications. "The leak revealed critical weaknesses, such as a hardcoded JWT secret and a static admin bearer token, default root credentials, and open account registration on the admin panel," the company said. "By correlating these flaws with live ERMAC infrastructure, we provide defenders with concrete ways to track, detect, and disrupt active operations."