ERMAC 3.0 represents a significant evolution in Android banking trojan capabilities, targeting over 700 banking, shopping, and cryptocurrency applications. Initially documented by ThreatFabric in 2021, it has been tied to the threat actor DukeEugene, with connections to past malware generations. Researchers obtained the complete source code from an open directory, detailing its architecture, which includes a backend C2 server for device management, a frontend for operator interaction, an exfiltration server in Golang, and an Android implant capable of device control and data collection while maintaining specific infection restrictions.
The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications.
Hunt.io said it managed to obtain the complete source code associated with the malware-as-a-service (MaaS) offering from an open directory on 141.164.62[.]236:443, right down to its PHP and Laravel backend.
The functions of each of the components are listed below - Backend C2 server provides operators the ability to manage victim devices and access compromised data.
ERMAC was first documented by ThreatFabric in September 2021, detailing its ability to conduct overlay attacks against hundreds of banking and cryptocurrency apps across the world.
Collection
[
|
...
]