Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
How are banking Trojans fundamentally different and why is this important?
Recent cybersecurity research has revealed that a new banking Trojan for Android called Hook is based on another once-famous ERMAC Trojan. Experts from the NCC Group, Joshua Camp and Alberto Segura, published a technical analysis in which they claim that the ERMAC source code was used as the basis for Hook.
Hook was first recorded by ThreatFabric researchers in January 2023, when it was distributed using the MaaS model with a price tag of $7,000 per month. Hook is the creation of a malware author known on cybercrime forums as DukeEugene. He, apparently, is the developer of ERMAC.
The Hook Trojan not only copies ERMAC functions, but also significantly expands them, supporting up to 38 additional commands. The main functions of ERMAC, and accordingly Hook too, include sending SMS, displaying phishing windows, extracting a list of installed applications, and stealing secret phrases to restore cryptocurrency wallets.
However, Hook goes even further, allowing you to stream an image from the victim's screen and interact with the user interface for full control over the device. The Trojan can also steal cookies associated with Google logins and distribute them via SMS.
Despite their differences, both Trojans can log keystrokes and abuse Android accessibility services to launch attacks aimed at stealing credentials from more than 700 apps. Information about target apps is downloaded from a remote server.
On April 19, 2023, the Hook project seems to have ceased to be supported by the original author, and on May 11, the source code of the malware was sold for $70,000 on one of the underground forums. Probably, Hook continued its development by other developers, perhaps even under a different name.
Most of the Hook and ERMAC C2 servers, according to the researchers, were located in Russia, the Netherlands, the United Kingdom, the United States, Germany, France, Korea, and Japan.
The termination of the Hook project does not mean that the threat disappears. The modern world of cybersecurity is constantly changing, and new hacker associations can easily revive or modify existing malware.
That is why researchers and cybersecurity specialists need to be constantly on guard and update their security measures to resist evolving attack methods.
Recent cybersecurity research has revealed that a new banking Trojan for Android called Hook is based on another once-famous ERMAC Trojan. Experts from the NCC Group, Joshua Camp and Alberto Segura, published a technical analysis in which they claim that the ERMAC source code was used as the basis for Hook.
Hook was first recorded by ThreatFabric researchers in January 2023, when it was distributed using the MaaS model with a price tag of $7,000 per month. Hook is the creation of a malware author known on cybercrime forums as DukeEugene. He, apparently, is the developer of ERMAC.
The Hook Trojan not only copies ERMAC functions, but also significantly expands them, supporting up to 38 additional commands. The main functions of ERMAC, and accordingly Hook too, include sending SMS, displaying phishing windows, extracting a list of installed applications, and stealing secret phrases to restore cryptocurrency wallets.
However, Hook goes even further, allowing you to stream an image from the victim's screen and interact with the user interface for full control over the device. The Trojan can also steal cookies associated with Google logins and distribute them via SMS.
Despite their differences, both Trojans can log keystrokes and abuse Android accessibility services to launch attacks aimed at stealing credentials from more than 700 apps. Information about target apps is downloaded from a remote server.
On April 19, 2023, the Hook project seems to have ceased to be supported by the original author, and on May 11, the source code of the malware was sold for $70,000 on one of the underground forums. Probably, Hook continued its development by other developers, perhaps even under a different name.
Most of the Hook and ERMAC C2 servers, according to the researchers, were located in Russia, the Netherlands, the United Kingdom, the United States, Germany, France, Korea, and Japan.
The termination of the Hook project does not mean that the threat disappears. The modern world of cybersecurity is constantly changing, and new hacker associations can easily revive or modify existing malware.
That is why researchers and cybersecurity specialists need to be constantly on guard and update their security measures to resist evolving attack methods.
