[MART] - Daily Diary #357 - Meet ERMAC, Another Cerberus Variant

CTAS-MAT ctas-mat at appgate.com
Tue Sep 28 21:05:07 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

09/28/2021 - Diary entry #357

This week a new android trojan, named ERMAC, was disclosed. First seen in July this year, ERMAC is a banking botnet malware. ERMAC has been found targeting 378 banking and wallet apps. ERMAC is operated by the same group behind BlackRock, covered in our Daily Diaries #227 and #75.

ERMAC is based on the source code of Cerberus, covered in our Daily Diaries #12 and #68. In late 2020, this source code was found leaked online in underground hacking forums. Cerberus already had the capability to remotely control the device, take screenshots, record audio, intercept SMS, collect device information, and much more by installing and executing other apps received from the C2 server. ERMAC increased Cerberus obfuscation techniques, while also implementing a new encryption scheme for strings and communication with the C2 server.

ERMAC is not the first Cerberus variant found in the wild. In our Daily Diary #121 we covered Alien, targeting more than 200 different apps. This incident shows the danger of having malware code publicly released online. Although it makes it easier for security researchers to understand and develop defenses, it also makes it easier for cybercrime to quickly modify it and release their own threat. In our Daily Diaries #347, #345 and #196, we covered Allakore, an open-source malware used as a base for most LATAM malware families. With the increase of people using their mobile devices for financial transactions, it's only natural that cybercrime tries to find easy ways to build Android malware, and Cerberus source-code is a good starting point.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210928/aaf8dcb3/attachment.htm>

More information about the MART mailing list