Teacher
Professional
- Messages
- 2,669
- Reaction score
- 829
- Points
- 113
ThreatFabric specialists spoke about the new ERMAC Trojan, which so far attacks only Polish users, but is aimed at 378 banking and wallet applications.
The researchers write that ERMAC is based on the source code of the well-known Cerberus malware and is managed by the group behind the BlackRock malware. In addition to the common features with Cerberus, the new malware is distinguished by the use of obfuscation and Blowfish encryption for communication with the control server.
It is believed that the first attacks using ERMAC began at the end of August 2021, and then the malware was disguised as a Google Chrome application. Researchers have also seen ERMAC disguised as antivirus, banking, and multimedia applications, as well as delivery service applications, and many others.
ERMAC was first mentioned on a hack forum in the summer of this year. Then someone under the nickname DukeEugene offered potential customers to "rent a new botnet for Android with extensive functionality" for $ 3,000 a month.
DukeEugene is one of the creators of BlackRock, a malware that ThreatFabric experts talked about last year. This malware, designed to steal data, combined the functions of an infostiler and a keylogger, and was created on the basis of another banking Trojan, Xerxes (which, in turn, is a derivative of LokiBot for Android, whose source code was made publicly available in May 2019).
Experts note that they have not seen fresh samples of BlackRock for a long time, but ERMAC has appeared. That is, probably "DukeEugene switched from using BlackRock to ERMAC".
ERMAC, like other bankers, is designed to steal contact information, text messages, open custom applications, and launch overlays for a variety of financial applications (for the purpose of obtaining credentials). In addition, it has a number of new features that, for example, allow it to clear the cache of certain applications and steal accounts stored on the device.
The researchers write that ERMAC is based on the source code of the well-known Cerberus malware and is managed by the group behind the BlackRock malware. In addition to the common features with Cerberus, the new malware is distinguished by the use of obfuscation and Blowfish encryption for communication with the control server.
It is believed that the first attacks using ERMAC began at the end of August 2021, and then the malware was disguised as a Google Chrome application. Researchers have also seen ERMAC disguised as antivirus, banking, and multimedia applications, as well as delivery service applications, and many others.
ERMAC was first mentioned on a hack forum in the summer of this year. Then someone under the nickname DukeEugene offered potential customers to "rent a new botnet for Android with extensive functionality" for $ 3,000 a month.
DukeEugene is one of the creators of BlackRock, a malware that ThreatFabric experts talked about last year. This malware, designed to steal data, combined the functions of an infostiler and a keylogger, and was created on the basis of another banking Trojan, Xerxes (which, in turn, is a derivative of LokiBot for Android, whose source code was made publicly available in May 2019).
Experts note that they have not seen fresh samples of BlackRock for a long time, but ERMAC has appeared. That is, probably "DukeEugene switched from using BlackRock to ERMAC".
ERMAC, like other bankers, is designed to steal contact information, text messages, open custom applications, and launch overlays for a variety of financial applications (for the purpose of obtaining credentials). In addition, it has a number of new features that, for example, allow it to clear the cache of certain applications and steal accounts stored on the device.
