The operators behind the BlackRock mobile malware have surfaced back with a new Android banking trojan called ERMAC that targets Poland and has its roots in the infamous Cerberus malware, according to the latest research.
“The new trojan already has active distribution campaigns and is targeting 378 banking and wallet apps with overlays,” ThreatFabric’s CEO Cengiz Han Sahin said in an emailed statement. First campaigns involving ERMAC are believed to have begun in late August under the guise of the Google Chrome app.
Since then, the attacks have expanded to include a range of apps such as banking, media players, delivery services, government applications, and antivirus solutions like McAfee.
Almost fully based on the notorious banking trojan Cerberus, the Dutch cybersecurity firm’s findings come from forum posts made by an actor named DukeEugene last month on August 17, inviting prospective customers to “rent a new android botnet with wide functionality to a narrow circle of people” for $3,000 a month.
DukeEugene is also known as the actor behind the BlackRock campaign that came to light in July 2020. Featuring an array of data theft capabilities, the infostealer and keylogger originate from another banking strain called Xerxes — which itself is a strain of the LokiBot Android banking Trojan — with the malware’s source code made public by its author around May 2019.
Cerberus, in September 2020, had its own source code released as a free remote access trojan (RAT) on underground hacking forums following a failed auction that sought $100,000 for the developer.
ThreatFabric also highlighted the cessation of fresh BlackRock samples since the emergence of ERMAC, raising the possibility that “DukeEugene switched from using BlackRock in its operations to ERMAC.” Besides sharing similarities with Cerberus, the freshly discovered strain is notable for its use of obfuscation techniques and Blowfish encryption scheme to communicate with the command-and-control server.
ERMAC, like its progenitor and other banking malware, is designed to steal contact information, text messages, open arbitrary applications, and trigger overlay attacks against a multitude of financial apps to swipe login credentials. In addition, it has developed new features that allow the malicious software to clear the cache of a specific application and steal accounts stored on the device.
“The story of ERMAC shows one more time how malware source code leaks can lead not only to slow evaporation of the malware family but also bring new threats/actors to the threat landscape,” the researchers said. “Although it lacks some powerful features like RAT, it remains a threat for mobile banking users and financial institutions all over the world.”