The first efforts using ERMAC which was developed by the same group that created the BlackRock mobile virus is thought to have started in late August under cover of the Google Chrome app, according to the CEO of ThreatFabric, Cengiz Han Sahin, who announced in an emailed statement that apparently: It has now been discovered that banking, media players, delivery services, government applications, and antivirus solutions such as McAfee are all being targeted by the assaults.
Forum posts reveal findings
Notably, the findings of the Dutch cybersecurity firm, which are almost entirely based on the notorious banking trojan Cerberus, come from forum posts made by an actor named DukeEugene last month on August 17. DukeEugene invited prospective customers: In particular, DukeEugene is well-known for his role as the actor behind the BlackRock campaign, which came about in July 2020. The information stealer and keylogger derived from another banking strain known as Xerxes, the LokiBot Android banking Trojan. It is noteworthy; the source code was made public by the malware’s creator in May of this year, and is among the most sophisticated data theft tools ever developed.
A threat for mobile and financial institutions
Interestingly, ThreatFabric also noted the absence of new BlackRock samples after the advent of ERMAC, suggesting “DukeEugene switched from using BlackRock to ERMAC.” Like Cerberus, the newly found strain uses obfuscation and Blowfish encryption to interact with the command-and-control server. The Dutch researchers said about ERMRAC: To acquire login credentials, ERMAC uses overlay attacks against various financial apps to steal login credentials. It has also created new capabilities to clear an app’s cache and steal accounts saved on the device. [coinbase]
