According to a new study, the BlackRock mobile malware’s operators are back with a new Android banking trojan, ERMAC. It targets Poland and has roots in the notorious Cerberus malware.This new malware already has active distribution operations and aims at 378 banking and wallet applications with overlays. The first ERMAC-related campaigns started in late August under the Google Chrome app’s guise.
Cerberus’ source code was published as a free remote access trojan (RAT) on underground hacker forums in September 2020, following an unsuccessful auction for $100,000 for the creator. In addition to sharing commonalities with Cerberus, the newly found strain is remarkable for its obfuscation methods and the Blowfish encryption strategy to connect with the command-and-control server.
Like its forerunner and other banking malware, ERMAC is designed to collect contact information, text messages, open arbitrary programs, and launch overlay assaults on a variety of financial apps to obtain login credentials. It has also created new features that allow the malicious software to erase an application’s cache and steal accounts saved on the device.
The ERMAC case demonstrates yet again how malware source code breaches may result in the slow evaporation of a malware family and the introduction of new threats and players to the threat environment. Even though it lacks some significant functionalities such as RAT, this malware remains a danger to mobile banking customers and financial organizations worldwide.
Dmitry Galov, Security Researcher at Kaspersky says, we continue to investigate all found artefacts associated with the code, and will track related activity. But, in the meantime, the best form of defence that users can adopt involves aspects of security hygiene that they should be practicing already across their mobile devices and banking security.