A new mobile banking Trojan has just surfaced. Called ERMAC, the malware appears to be coined by the BlackRock cybercriminals and is based on the roots of the infamous Cerberus.
“If we investigate ERMAC, we can find out that ERMAC is a code-wise inheritor of a well-known malware Cerberus. It uses almost identical data structures when communicating with the C2, it uses the same string data, et cetera,” said ThreatFabric. The researchers’ first impression was that the new Trojan is another variant of Cerberus. Despite having a different name and using different obfuscation techniques and a new string encryption, ERMAC is another Cerberus-based trojan, the researchers discovered.
ERMAC Android Trojan: Overview
The difference with the original Cerberus is that ERMAC utilizes another encryption scheme when communicating with the command-and-control server. The data is encrypted with AES-128-CBC, and prepended with double word containing the length of the encoded data, the report said.
A definite connection with the BlackRock malware operators is the usage of the same IP address as command-and-control.
It is noteworthy that despite being new, the trojan is already distributed in active campaigns and targeting 378 banking and wallet apps with overlays. The first campaigns were most likely initiated in late August 2021. The attacks have now expanded, including numerous apps such as banking, media players, government apps, antivirus solutions.
According to the Dutch cybersecurity company, they first noticed the trojan in forum posts by a threat actor called DukeEugene. The player was advertising the new Android botnet to prospective customers for $3,000 a month. The same threat actor was behind the BlackRock campaign from last year.
“We believe that DukeEugene switched from using BlackRock in its operations to ERMAC, as we no longer saw fresh BlackRock samples since the first mentions of ERMAC. One of the reasons behind it could be that BlackRock was discredited: DukeEugene claimed on the forum that one of the buyers who got their bot for test began to scam people advertising it as a new Amplebot banking trojan. The name was taken from the BlackRock’s admin panel, which was built using AmpleAdmin template, and the actors didn’t change the logo and the name,” the report noted.
Cerberus and BlackRock
Last summer, Cerberus was put on auction by its developers and the starting price for it was $50,000 USD. The majority of deals actually closed at $100,000 USD which is double than the starting price.
Cerberus was a very popular malware-as-a-service example which became well-known August 2019, when it was detected in a live campaign. The analysis then didn’t show any source code snippets from other famous threats. At that time, this looked like a very formidable threat which was used to take over control of many devices. The Android Trojan included all features and functionalities expected of malware of this category.
As for the BlackRock malware, it was believed to be derived from the code of Xerxes, an upgraded version of LokiBot, which for many years was one of the most dangerous examples of Android malware.
“The story of ERMAC shows one more time how malware source code leaks can lead not only to slow evaporation of the malware family but also bring new threats/actors to the threat landscape. Being built on Cerberus basement, ERMAC introduces couple of new features. Although it lacks some powerful features like RAT, it remains a threat for mobile banking users and financial institutions all over the world,” ThreatFabric concluded.