According to a new study, the BlackRock mobile malware’s operators are back with a new Android banking trojan, ERMAC. It targets Poland and has roots in the notorious Cerberus malware.
This new malware already has active distribution operations and aims at 378 banking and wallet applications with overlays. The first ERMAC-related campaigns started in late August under the Google Chrome app’s guise.
Since then, the cyberattacks have spread to encompass banking, media players, delivery services, government systems, and antivirus software such as McAfee.
Almost entirely based on the well-known banking trojan Cerberus, potential clients are offered the opportunity to “rent a fresh android botnet with extensive capabilities to a small circle of individuals” for $3,000 per month.
Cerberus’ source code was published as a free remote access trojan (RAT) on underground hacker forums in September 2020, following an unsuccessful auction for $100,000 for the creator.
In addition to sharing commonalities with Cerberus, the newly found strain is remarkable for its obfuscation methods and the Blowfish encryption strategy to connect with the command-and-control server.
Like its forerunner and other banking malware, ERMAC is designed to collect contact information, text messages, open arbitrary programs, and launch overlay assaults on a variety of financial apps to obtain login credentials. It has also created new features that allow the malicious software to erase an application’s cache and steal accounts saved on the device.
The ERMAC case demonstrates yet again how malware source code breaches may result in the slow evaporation of a malware family and the introduction of new threats and players to the threat environment.
Even though it lacks some significant functionalities such as RAT, this malware remains a danger to mobile banking customers and financial organizations worldwide.
“We continue to investigate all found artefacts associated with the code, and will track related activity. But, in the meantime, the best form of defence that users can adopt involves aspects of security hygiene that they should be practicing already across their mobile devices and banking security,” comments Dmitry Galov, Security Researcher at Kaspersky.
