BlackRock mobile malware operators have resurfaced with a new Android banking trojan called ERMAC targeting Poland with roots in the well known Cerberus malware, according to the latest research.
“The new trojan has active distribution campaigns targeting 378 banking and wallet apps with overlays,” Cengiz Han Sahin the ThreatFabric’s CEO said in an emailed statement. Campaigns involving ERMAC is believed to have begun in late August under the guise of the Google Chrome app.
Since then, the attacks have expanded to include a range of apps such as banking, media players, delivery services, government applications, and antivirus solutions like McAfee.
Partially based on the notorious banking trojan Cerberus, the Dutch cybersecurity firm’s findings are premised on forum posts made by an actor named DukeEugene last month on August 17, inviting prospective customers to “rent a new android botnet with wide functionality to a narrow circle of people” for $3,000 a month.
DukeEugene is also known as the actor behind the BlackRock campaign that came to light in July 2020. With an array of data theft capabilities, the infostealer and keylogger emanates from another banking strain called Xerxes — which itself is a strain of the LokiBot Android banking Trojan — with the malware’s source code made public by its author around May 2019.
Cerberus had released its own source code released in September 2020 as a free remote access trojan (RAT) on underground hacking forums following a failed auction that sought $100,000 for the developer.
ThreatFabric also highlighted the cessation of fresh BlackRock samples since the emergence of ERMAC, raising the possibility that “DukeEugene switched from using BlackRock in its operations to ERMAC.” Besides sharing similarities with Cerberus, the freshly discovered strain is notable for its use of obfuscation techniques and Blowfish encryption scheme to communicate with the command-and-control server.
ERMAC, like other banking malware, is designed to steal contact information, text messages, open arbitrary applications, and trigger overlay attacks against a large number of financial apps to swipe login credentials. In addition it has come with a new features that allows the malicious software to clear the cache of a specific application and steal accounts stored on the device.
“The story of ERMAC shows one more time how malware source code leaks can lead not only to slow evaporation of the malware family but also bring new threats/actors to the threat landscape,” the researchers said. “Although it lacks some powerful features like RAT, it remains a threat for mobile banking users and financial institutions all over the world.”