Information security specialists from Hunt Intelligence have discovered a leak of the source code of the ERMAC 3.0 Android banking trojan. The researchers also report finding serious shortcomings in the malware operators’ infrastructure.
The ERMAC banking trojan was first described by researchers from ThreatFabric in September 2021. At that time, the specialists examined its ability to carry out overlay attacks against hundreds of banking and cryptocurrency applications worldwide. The creation of the banking trojan is attributed to an individual known by the handle DukeEugene, and the trojan is believed to be an offshoot of the Cerberus and BlackRock malware families.
“The recently discovered version 3.0 shows a significant evolution of the malware and expands its capabilities for form injection and data theft from more than 700 banking, shopping, and cryptocurrency applications,” Hunt Intelligence now writes.
Researchers claim that back in March 2024 they managed to obtain the full source code of the trojan and examine from the inside a live, actively maintained MaaS (Malware-as-a-Service) platform.
The source code was found in the Ermac 3.0.zip archive, in a public directory at 141.164.62[.]236:443. As a result, researchers obtained: a PHP and Laravel backend, a React frontend, a Golang server for data extraction, and an Android builder panel.
In their report, the experts describe the functions of each of the components.
Command-and-control (C2) server backend — provides ERMAC operators with the ability to manage infected devices and access compromised data, including SMS logs, stolen account credentials, and infected device data.
Front-end panel — allows operators to interact with connected devices by issuing commands, managing overlays, and accessing stolen data.
Data exfiltration server — a Golang server used to exfiltrate stolen information and manage data about compromised devices.
ERMAC backdoor is Android malware written in Kotlin that allows operators to control the infected device and collect sensitive data based on commands received from the command-and-control server (while ensuring the infection does not affect devices in CIS countries).
ERMAC builder is a tool that helps clients configure and create their own builds for malicious campaigns, allowing them to set the application name, server URL, and other parameters.
It is noted that, in addition to an expanded set of targeted applications, ERMAC 3.0 introduces new form-injection methods, an updated command-and-control (C2) panel, a new Android backdoor, and communications encrypted using AES-CBC.
“This leak revealed critical weaknesses, including a hardcoded JWT secret and a static admin bearer token, default root credentials, and open registration for accounts in the admin panel,” the researchers say. “By correlating these vulnerabilities with the live ERMAC infrastructure, we provide security professionals with concrete ways to track, detect, and disrupt active operations.”
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts
Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →