The source code for version 3 of theERMACAndroid banking trojanhas been leaked online, exposing the internals of the malware-as-a-service platform and the operator’s infrastructure.
The code base was discovered in an open directory by Hunt.io researchers while scanning for exposed resourcesin March 2024.
They located an archive named Ermac 3.0.zip, which contained the malware’s code, including backend, frontend (panel), exfiltration server, deployment configurations, and the trojan’s builder and obfuscator.
The researchers analyzed the code, finding that it significantly expandedthe targeting capabilities compared to previous versions, with more than 700 banking, shopping, and cryptocurrency apps.
ERMAC was first documentedin September 2021 byThreatFabric – a provider of online payment fraud solutions and intelligence for the financial services sector, as an evolution of the Cerberus banking trojan operated by a threat actor known as ‘BlackRock.’
ERMAC v2.0 was spotted by ESET in May 2022, rented to cybercriminals for a monthly fee of $5,000, and targeting 467 apps, up from 378 in the previous version.
In January 2023, ThreatFabric observed BlackRock promoting a new Android malware tool named Hook, which appeared to be an evolution of ERMAC.
ERMAC v3.0 capabilities
Hunt.io found and analyzed ERMAC’s PHP command-and-control (C2) backend, React front-end panel, Go-based exfiltration server, Kotlin backdoor, and the builder panel for generating custom trojanized APKs.
According to the researchers, ERMAC v3.0 now targets sensitive user information in more than 700 apps.