Financial data is expensive, not only because it holds sensitive data, as it also access to money.
This why threat actors always value this kind of data, and because of that, they're always seeking ways to obtain that data no matter what's the cost. And this time, researchers at ThreatFabric found a forum post about an Android Banking trojan called the 'ERMAC that target people in Poland'.
According to the cybersecurity company's research, the malware is based on the well-known banking trojan Cerberus.
Besides sharing similarities with Cerberus, the ERMAC has extra capabilities, like obfuscation techniques and encryption scheme to communicate with its command-and-control server.
And behind this ERMAC, is the creator of the BlackRock malware.
“Android botnet ERMAC. I will rent a new android botnet with wide functionality to a narrow circle of people (10 people). 3k$ per month. Details in PM,” wrote a person named "DukeEugene”, who is no other than a known BlackRock operator.
"The new trojan already has active distribution campaigns and is targeting 378 banking and wallet Apps with overlays," said ThreatFabric's CEO Cengiz Han Sahin.
What began as attacks using the guise of the Google Chrome app, since then, attacks have expanded to also include a range of apps.
These apps include banking, media players, delivery services, government apps, as well as antivirus solutions like McAfee.
It's worth noting that Cerberus, which is the base that helped with the creation of ERMAC, had its own source code released as a free Remote Access Trojan (RAT) on underground hacking forums following a failed auction that sought $100,000 for the developers of the malware,
That happened in 2020.
And this time, ThreatFabric highlighted that cases that involved BlackRock have started to cease, since the emergence of ERMAC.
This suggests that the threat actor DarkEugene is switching his hacking campaign from BlackRock to ERMAC.
"We believe that DukeEugene switched from using BlackRock in its operations to ERMAC, as we no longer saw fresh BlackRock samples since the first mentions of ERMAC. One of the reasons behind it could be that BlackRock was discredited," wrote ThreatFabric in its blog post.
As a banking malware, ERMAC, a name that is borrowed from a Mortal Kombat character, is designed to steal contact information, text messages, open arbitrary apps, and trigger overlay attacks against a number of financial apps to steal login credentials.
"The story of ERMAC shows one more time how malware source code leaks can lead not only to slow evaporation of the malware family but also bring new threats/actors to the threat landscape," the researchers said. "Although it lacks some powerful features like RAT, it remains a threat for mobile banking users and financial institutions all over the world."
