ERMAC V3.0 Banking Trojan source code reveals complete malware infrastructure

Cybersecurity researchers have unveiled the intricate workings of an Android banking trojan known as ERMAC 3.0, highlighting significant vulnerabilities within the operators’ infrastructure. The latest version of this malware has evolved considerably, enhancing its form injection and data theft capabilities to target over 700 banking, shopping, and cryptocurrency applications, as reported by Hunt.io. Initially documented by ThreatFabric in September 2021, ERMAC is linked to the threat actor DukeEugene and is considered an advancement of the Cerberus and BlackRock malware families. Hunt.io successfully accessed the complete source code of this malware-as-a-service (MaaS) offering, revealing its PHP and Laravel backend, React-based frontend, Golang exfiltration server, and Android builder panel.

The components of ERMAC 3.0 include a Backend Command-and-Control (C2) server for managing victim devices, a Frontend panel for operator interaction, and an Exfiltration server for data theft. The ERMAC backdoor, written in Kotlin, allows control over compromised devices while avoiding infections in Commonwealth of Independent States (CIS) nations. Additionally, the malware introduces new form injection methods, an upgraded C2 panel, and AES-CBC encrypted communications. The leak exposed critical weaknesses, such as a hardcoded JWT secret and static admin bearer token, which provide defenders with actionable insights to track, detect, and disrupt ongoing operations.

ERMAC V3.0 Banking Trojan source code reveals complete malware infrastructure

Taiwan Web Servers Breached by UAT-7237 using Open-Source Hacking Tools

GreedyBear has swindled $1 million in cryptocurrency by employing over 150 harmful Firefox wallet extensions.

Share this:

Similar Posts