ThreatFabric experts spoke about the new ERMAC Trojan, which so far attacks only Polish users, but targets 378 banking and wallet applications.
The researchers write that ERMAC is based on the source code of the well-known malware Cerberus and is controlled by the group behind the BlackRock malware. In addition to similarities with Cerberus, the new malware uses Blowfish obfuscation and encryption to communicate with the C&C server.
It is believed that the first attacks using ERMAC began at the end of August 2021, and then the malware was disguised as the Google Chrome application. Researchers have also witnessed how ERMAC masquerades as antivirus, banking and multimedia applications, as well as delivery service applications and many others.
The first mention of ERMAC appeared on the hacking forum this summer. Then someone under the nickname DukeEugene offered potential customers “rent a new robust Android botnet” for $ 3,000 a month.
DukeEugene is one of the creators of BlackRock, which ThreatFabric experts talked about last year. This malware, designed to steal data, combined the functions of an info-stealer and a keylogger and was created on the basis of another banking Trojan, Xerxes (which, in turn, is a derivative of LokiBot for Android, whose source code was released to the public in May 2019).
Experts note that they have not seen fresh BlackRock samples for a long time, but ERMAC has appeared. That is, probably “DukeEugene switched from BlackRock to ERMAC.”
ERMAC, like other bankers, is designed to steal contact information, text messages, open arbitrary applications and launch overlays for many financial applications (in order to obtain credentials). In addition, it has a number of new features that, for example, allow it to clear the cache of certain applications and steal accounts stored on the device.
“The history of ERMAC proves once again how leaks of the source code of malicious programs can lead not only to the slow disappearance of these malware families but also to the emergence of new threats and cybercriminals,” conclude the experts.