The ERMAC Malware
A new Android banking trojan known as ERMAC, which targets Poland and has roots in the notorious Cerberus malware, has been discovered by ThreatFabric researchers in a recent report.
According to the information that is available, the new malware already has active distribution efforts and is targeting 378 banking and wallet applications with overlays. The first ERMAC-based efforts are said to have started in the last week of August using the Google Chrome app as a cover.
There has been an increase in the number of targeted attacks against different types of applications since then, including banking apps, government apps, antivirus solutions, media players and more.
A forum post published by an actor called DukeEugene on August 17, has raised the concerns of the researchers. In the post, the malicious actor is encouraging potential clients to rent a new highly-featured android botnet, almost entirely based on the well-known banking malware Cerberus, for $3,000 a month. It is interesting to mention that DukeEugene is also recognized as the actor that was behind the BlackRock malware campaign that first surfaced in July of 2020.
The newly found strain is noteworthy for using obfuscation methods and a Blowfish encryption mechanism to interact with the command-and-control server, in addition to the parallels with Cerberus.
Just like its predecessor and other banking malware, ERMAC targets login credentials from a variety of financial apps with the intent of stealing contact information and text messages. The malware also tends to trigger overlay attacks and opens arbitrary programs. New features of the threat also lets the malicious software erase an app’s cache and steal accounts from the compromised device.
It should be noted that since the introduction of ERMAC, new BlackRock samples have stopped emerging, which, according to ThreatFabric, is suggesting the likelihood that DukeEugene shifted from utilizing BlackRock in its operations to ERMAC.