ERMAC Android Malware Source Code Leak Reveals Banking Trojan Infrastructure

ByAdmin

The source code for version 3 of the ERMAC Android banking trojan has been leaked online, revealing the inner workings of the malware-as-a-service platform and its operator’s infrastructure. Researchers from Hunt.io discovered the code base in an open directory while scanning for exposed resources in March 2024. They found an archive named Ermac 3.0.zip, which included the malware’s backend, frontend panel, exfiltration server, deployment configurations, and the trojan’s builder and obfuscator. The analysis indicated that ERMAC v3.0 significantly expanded its targeting capabilities, now encompassing over 700 banking, shopping, and cryptocurrency applications. Initially documented by ThreatFabric in September 2021, ERMAC is an evolution of the Cerberus banking trojan, operated by a threat actor known as BlackRock.

ERMAC v3.0 boasts enhanced capabilities, as Hunt.io researchers examined its PHP command-and-control (C2) backend, React front-end panel, Go-based exfiltration server, Kotlin backdoor, and the builder panel for generating custom trojanised APKs. The latest version targets sensitive user information across more than 700 applications. It also improves upon previously documented form-injection techniques, utilises AES-CBC for encrypted communications, and features an upgraded operator panel. Specific capabilities include the theft of SMS, contacts, and registered accounts, extraction of Gmail subjects and messages, file access via list and download commands, and the ability to send SMS and forward calls for communication abuse. Additionally, it allows photo capturing via the front camera, full app management, and the display of fake push notifications for deception. Hunt.io analysts identified exposed infrastructure used by the threat actors, including C2 endpoints and panels. The ERMAC operators exhibited significant operational security failures, such as hardcoded JWT tokens and default root credentials, which compromised the security of their admin panel. 

Categories: Malware Development, Cybersecurity Threats, Data Theft Techniques 

Tags: ERMAC, Android, Trojan, Malware, Banking, Exfiltration, Command-and-Control, Infrastructure, Data Theft, Obfuscator 

Leave a Reply

Your email address will not be published. Required fields are marked *