࿗ 𝕯𝖚𝖐𝖊 𝕰𝖚𝖌𝖊𝖓𝖊 ࿗

Команда форума

࿗ 𝕯𝖚𝖐𝖊 𝕰𝖚𝖌𝖊𝖓𝖊 ࿗

Команда форума


ERMAC - another Cerberus reborn​

September 2021


On July 23 a forum post appeared regarding a new Android banking trojan. The attached screenshots show that it is named ERMAC. Our investigation shows that ERMAC is almost fully based on the well-known banking trojan Cerberus, and is being operated by BlackRock actor(s).


On August 17, a forum member named “ermac” invited anyone interested in this topic to send a PM to make a deal. The user registered just the day before and posted a similar advertisement in his profile. Interestingly enough, the topic starter said that he found the contact 4 days earlier. On the same day, another forum member, “DukeEugene”, posted a message in his account:

“Android botnet ERMAC. I will rent a new android botnet with wide functionality to a narrow circle of people (10 people). 3k$ per month. Details in PM.”

DukeEugene is known as an actor behind the BlackRock banking trojan that we
Пожалуйста , Вход или Регистрация чтобы увидеть ссылку!
in 2020. DukeEugene claimed to be the one of the actors shortly after we published our discovery.
We believe that DukeEugene switched from using BlackRock in its operations to ERMAC, as we no longer saw fresh BlackRock samples since the first mentions of ERMAC. One of the reasons behind it could be that BlackRock was discredited: DukeEugene claimed on the forum that one of the buyers who got their bot for test began to scam people advertising it as a new Amplebot banking trojan. The name was taken from the BlackRock’s admin panel, which was built using AmpleAdmin template, and the actors didn’t change the logo and the name.
To summarize the story full of twists: a new banking malware appeared on the threat landscape called ERMAC. But is it really new?

You can’t escape Cerberus​

If we investigate ERMAC, we can find out that ERMAC is a code-wise inheritor of a well-known malware
Пожалуйста , Вход или Регистрация чтобы увидеть ссылку!
. It uses almost identical data structures when communicating with the C2, it uses the same string data, et cetera.

When we first encountered ERMAC samples, we thought it to be just another variant of Cerberus since the code was leaked several times and a lot of actors try to build their own malware based on its sources. However, the admin panel login page clearly states that this is ERMAC indeed:
Despite the usage of different obfuscation techniques and new method of string encryption - using Blowfish encryption algorithm, we can definitely state that ERMAC is another Cerberus-based trojan.

Compared to the original Cerberus, ERMAC uses different encryption scheme in communication with the C2: the data is encrypted with AES-128-CBC, and prepended with double word containing the length of the encoded data:
Another point to support the connection between BlackRock actor(s) and ERMAC actor(s): both BlackRock and ERMAC are known to use 185.215.113.* IP addresses as their C2.

Commands list​

The commands ERMAC receives and processes, are almost identical to the latest Cerberus commands. A couple of commands are added that can clear the cache of the specified application and steal device accounts (new commands bold).

pushShows a push notification (clicking on the notification will result in launching specified app)
startAuthenticator2Launches the Google Authenticator application
startAdminTriggers request for admin privileges
startAppStarts the specified application
getInstallAppsGets the list of applications installed on the device
getContactsGets the contact names and phone numbers from the address book of the infected device
deleteApplicationTriggers the removal of the specified application
forwardCallEnables call forwarding to the specified number
sendSmsSends a text message with specified text from the infected device to the specified phone number
SendSMSALLSends text messages with specified text from the infected device to all contacts of the infected device
startInjectTriggers the overlay attack against the specified application
startUssdExecutes the specified USSD code
openUrlOpens the specified URL in the WebView
getSMSGets all text messages from the infected device
killMeTriggers the kill switch for the bot
updateModuleUpdates the payload module
updateInjectAndListAppsTriggers update of the target list
clearCash/clearCasheTriggers opening specified application details
getAccounts/logAccountsTriggers stealing a list of the accounts on the device


We were able to identify several campaigns with ERMAC involved. The first major campaign started in late August where ERMAC was masquerading as Google Chrome. We have also seen ERMAC masquerading as antivirus, banking, and media player apps.

At the time of writing this blog we see ERMAC targeting Poland and being distributed under the guise of delivery service and government applications (special thanks to
Пожалуйста , Вход или Регистрация чтобы увидеть ссылку!


The story of ERMAC shows one more time how malware source code leaks can lead not only to slow evaporation of the malware family but also bring new threats/actors to the threat landscape. Being built on Cerberus basement, ERMAC introduces couple of new features. Although it lacks some powerful features like RAT, it remains a threat for mobile banking users and financial institutions all over the world.

How we help our customers​

ThreatFabric makes it easier than it has ever been to run a secure mobile payments business. With the most advanced threat intelligence for mobile banking, financial institutions can build a risk-based mobile security strategy and use this unique knowledge to detect fraud-by-malware on the mobile devices of customers in real-time.

Together with our customers and partners, we are building an easy-to-access information system to tackle the ever growing threat of mobile malware targeting the financial sector. We especially like to thank the Cyber Defence Alliance (CDA) for collaborating and proactively sharing knowledge and information across the financial sector to fight cyber-threats.

ThreatFabric has partnerships with TIPs all over the world.

If you want to request a free trial of our MTI-feed, or want to test our own MTI portal for 30 days, feel free to contact us at: sales@threatfabric.com

If you want more information on how we detect mobile malware on mobile devices, you can directly contact us at: info@threatfabric.com


ERMAC Samples​

App namePackage nameSHA-256
Google Chromecom.hxfumpfgokky.bufvpk2de0f59fd03512e5527c8b8b19595483564ae54cd4904457c4f5bf127949019d
DPD Mobilecom.mhyjbezusdvpxu.jukviuhn1032b42c859c747bcc159b75366c3325869d3722f5673d13a7b06633245ebf32




The list of the targeted applications.

alior.bankingapp.androidUsługi Bankowe
app.wizink.esWiZink, tu banco senZillo
ar.com.santander.rio.mbankingSantander Argentina
at.spardat.bcrmobileTouch 24 Banking BCR
at.volksbank.volksbankmobileVolksbank hausbanking
au.com.amp.myportfolio.androidMy AMP
au.com.cua.mbCUA Mobile Banking
au.com.hsbc.hsbcaustraliaHSBC Australia
au.com.ingdirect.androidING Australia Banking
au.com.macquarie.authenticatorMacquarie Authenticator
au.com.macquarie.bankingMacquarie Mobile Banking
au.com.mebank.bankingME Bank
au.com.nab.mobileNAB Mobile Banking
au.com.newcastlepermanentNPBS Mobile Banking
au.com.suncorp.SuncorpBankSuncorp Bank
au.com.ubank.internetbankingUBank Mobile Banking
ca.mobile.explorerCA Mobile
ca.tangerine.clients.banking.appTangerine Mobile Banking
cc.bitbank.bitbankbitbank - Bitcoin & Ripple Wallet
ch.autoscout24.autoscout24AutoScout24 Switzerland – Find your new car
cl.bancochile.mbankingMi Banco de Chile
clientapp.swiftcom.orgePayments: wallet & bank card
co.edgesecure.appEdge - Bitcoin, Ethereum, Monero, Ripple Wallet
co.zipZip - Shop Now, Pay Later
com.BOQSecureBOQ Secure
com.EurobankEFGEurobank Mobile App
com.IngDirectAndroidING France
com.Plus500Plus500: CFD Online Trading on Forex and Stocks
com.Version1PNB ONE
com.aadhk.woinvoiceInvoice Maker: Estimate & Invoice App
com.abanca.bancaempresasABANCA Empresas
com.abanca.bm.ptABANCA - Portugal
com.abnamro.nl.mobile.paymentsABN AMRO Mobiel Bankieren
com.advantage.RaiffeisenBankRaiffeisen Smart Mobile
com.aff.otpdirektOTP SmartBank
com.airbitzBitcoin Wallet - Airbitz
com.albarakaappAlbaraka Mobile Banking
com.alrajhiretailappAl Rajhi Mobile
com.amazon.mShop.android.shoppingAmazon Shopping - Search, Find, Ship, and Save
com.amazon.sellermobile.androidAmazon Seller
com.android.vendingGoogle Play
com.anz.android.gomoneyANZ Australia
com.anz.transactive.globalANZ Transactive - Global
com.aol.mobile.aolappAOL - News, Mail & Video
com.appfactory.tmbTeachers Mutual Bank
com.arkea.android.application.cmbCrédit Mutuel de Bretagne
com.arkea.android.application.cmso2CMSO ma banque : solde, virement & épargne
com.azimo.sendmoneyAzimo Money Transfer
com.bancodebogota.bancamovilBanco de Bogotá
com.bancomer.mbankingBBVA México (Bancomer Móvil)
com.bankaustria.android.olbBank Austria MobileBanking
com.bankinter.empresasBankinter Empresas
com.bankinter.launcherBankinter Móvil
com.bankofqueensland.boqBOQ Mobile
com.barclaycardusBarclays US
com.barclays.ke.mobile.android.uiBarclays Kenya
com.bbva.bbvacontigoBBVA Spain
com.bbva.mobile.ptBBVA Portugal
com.bbva.netcashBBVA Net Cash | ES & PT
com.bbva.nxt_peruBBVA Perú
com.bcp.bank.bcpBanca Móvil BCP
com.bendigobank.mobileBendigo Bank
com.binance.devBinance - Buy & Sell Bitcoin Securely
com.bitmarket.traderAplikacja Bitmarket
com.bitpay.walletBitPay – Secure Bitcoin Wallet
com.bmo.mobileBMO Mobile Banking
com.bmoharris.digitalBMO Digital Banking
com.botw.mobilebankingBank of the West Mobile
com.boursorama.android.clientsBoursorama Banque
com.btcturkBtcTurk Bitcoin Borsası
com.caisse.epargne.android.tabletteBanque pour tablettes Android
com.chase.sig.androidChase Mobile
com.cibc.android.mobiCIBC Mobile Banking®
com.cimbmalaysiaCIMB Clicks Malaysia
com.citibank.CitibankMYCitibank MY
com.citizensbank.androidappCitizens Bank Mobile Banking
com.clairmail.fthFifth Third Mobile Banking
com.cm_prod.badCrédit Mutuel
com.coinbase.androidCoinbase – Buy & Sell Bitcoin. Crypto Wallet
com.comarch.mobile.banking.bgzbnpparibas.biznesMobile BiznesPl@net
com.comarch.security.mobilebankingING Business
com.connectivityapps.hotmailConnect for Hotmail & Outlook: Mail and Calendar
com.cooperativebank.bankThe Co-operative Bank
com.csam.icici.bank.imobileiMobile by ICICI Bank
com.db.mm.norisbanknorisbank App
com.db.pbc.DBPayDB Pay
com.db.pbc.miabancaLa Mia Banca
com.db.pbc.mibancoMi Banco db
com.db.pwcc.dbmobileDeutsche Bank Mobile
com.desjardins.mobileDesjardins mobile services
com.dhanlaxmi.dhansmart.mtcDhanlaxmi Bank Mobile Banking
com.discoverfinancial.mobileDiscover Mobile
com.ebay.mobileeBay: Buy, sell, and save money on home essentials
com.empik.empikfotoEmpik Foto
com.engage.pbb.pbengage2my.releasePB engage MY
com.eofinanceEO.Finance: Buy and Sell Bitcoin. Crypto Wallet
com.exictos.mbanka.bicBanco BIC, SA
com.exmoEXMO Official - Trading crypto on the exchange
com.fi7026.godoughCommercial Bank Mobile Banking
com.fibabanka.Fibabanka.mobileFibabanka Mobile
com.fibabanka.mobileFibabanka Corporate Mobile
com.finansbank.mobile.cepsubeQNB Finansbank Mobile Banking
com.finanteq.finance.bgzBNP Paribas GOMobile
com.finanteq.finance.caCA24 Mobile
com.fortuneo.androidFortuneo, mes comptes banque & bourse en ligne
com.fullsix.android.labanquepostale.accountaccessLa Banque Postale
com.fusion.ATMLocatorPeople’s Choice Credit Union
com.fusion.bankingBank Australia app
com.fusion.beyondbankBeyond Bank Australia
com.garanti.cepsubesiGaranti BBVA Mobile
com.getingroup.mobilebankingGetin Mobile
com.gmowallet.mobilewalletビットコイン・暗号資産(仮想通貨)ウォレットアプリ GMOコイン\|チャート・購入・レバレッジ取引
com.greater.GreaterGreater Bank
com.grppl.android.shell.BOSBank of Scotland Mobile Banking: secure on the go
com.grppl.android.shell.CMBlloydsTSB73Lloyds Bank Mobile Banking: by your side
com.grppl.android.shell.halifaxHalifax: the banking app that gives you extra
com.grupoavaloc1.bancamovilBanco de Occidente Móvil
com.grupocajamar.wefferentGrupo Cajamar
com.hsbc.hsbcnetHSBCnet Mobile
com.htsu.hsbcpersonalbankingHSBC Mobile Banking
com.ideomobile.hapoalimבנק הפועלים - ניהול החשבון‎
com.imaginbank.appimaginBank - Your mobile bank
com.imo.android.imoimimo free video calls and chat
com.imo.android.imoimbetaimo beta free calls and text
com.imo.android.imoimhdimo HD-Free Video Calls and Chats
com.indra.itecban.mobile.novobancoNBapp Spain
com.indra.itecban.triodosbank.mobile.bankingTriodos Bank. Banca Móvil
com.infonow.bofaBank of America Mobile Banking
com.infrasofttech.CentralBankCent Mobile
com.infrasofttech.MahaBankMaha Mobile
com.ingbanktr.ingmobilING Mobil
com.isis_papyrus.raiffeisen_pay_eyewdgRaiffeisen ELBA
com.itau.empresasItaú Empresas: Controle e Gestão do seu Negócio
com.kasikorn.retail.mbanking.wapK PLUS
com.key.androidKeyBank Mobile
com.konylabs.HongLeongConnectHong Leong Connect Mobile Banking
com.konylabs.capitaloneCapital One® Mobile
com.konylabs.cbplpatCiti Handlowy
com.kraken.tradePro: Advanced Bitcoin & Crypto Trading
com.kuveytturk.mobilKuveyt Türk
com.latuabancaperandroidIntesa Sanpaolo Mobile
com.mail.mobile.android.mailmail.com mail
com.mcom.firstcitizensFirst Citizens Mobile Banking
com.mercadolibreMercado Libre: compra fácil y rápido
com.mercadopago.walletMercado Pago
com.mfoundry.mb.android.mb_136People’s United Bank Mobile
com.microsoft.office.outlookMicrosoft Outlook: Organize Your Email & Calendar
com.mobikwik_newBHIM UPI, Money Transfer, Recharge & Bill Payment
com.mobileloft.alpha.droidmyAlpha Mobile
com.moneybookers.skrillpaymentsSkrill - Fast, secure online payments
com.moneybookers.skrillpayments.netellerNETELLER - fast, secure and global money transfers
com.msf.kbank.mobileKotak - 811 & Mobile Banking
com.mtel.androidbeaBEA 東亞銀行
com.mycelium.walletMycelium Bitcoin Wallet
com.navyfederal.androidNavy Federal Credit Union
com.nearform.ptsbpermanent tsb
com.ocito.cdn.activity.creditdunordCrédit du Nord pour Mobile
com.oxigen.oxigenwalletBill Payment & Recharge,Wallet
com.paxful.walletPaxful Bitcoin Wallet
com.payoneer.androidPayoneer – Global Payments Platform for Businesses
com.paypal.android.p2pmobilePayPal Mobile Cash: Send and Request Money Fast
com.pcfinancial.mobileSimplii Financial
com.pnc.ecommerce.mobilePNC Mobile
com.polehin.androidBitcoin Wallet - Buy BTC
com.pozitron.iscepİşCep - Mobile Banking
com.quoine.quoinex.lightLiquid by Quoineライト版(リキッドバイコイン) -ビットコインなどの仮想通貨取引所
com.rbc.mobile.androidRBC Mobile
com.rbs.mobile.android.natwestNatWest Mobile Banking
com.rbs.mobile.android.rbsRoyal Bank of Scotland Mobile Banking
com.santander.bpiSantander Private Banking
com.sbi.SBAnywhereCorporateSBI Anywhere Corporate
com.sbi.SBIFreedomPlusYono Lite SBI - Mobile Banking
com.scb.phoneSCB EASY
com.scotiabank.bankingScotiabank Mobile Banking
com.snapwork.IDBIIDBI Bank GO Mobile+
com.snapwork.hdfcHDFC Bank MobileBanking
com.squareup.cashCash App
com.starfinanz.smob.android.sfinanzstatusSparkasse Ihre mobile Filiale
com.suntrust.mobilebankingSunTrust Mobile App
com.targo_prod.badTARGOBANK Mobile Banking
com.tdTD Canada
com.tdbankTD Bank (US)
com.tecnocom.cajalaboralBanca Móvil Laboral Kutxa
com.tideplatform.bankingTide - Smart Mobile Banking
com.tmobtech.halkbankHalkbank Mobil
com.todo1.davivienda.mobileappDavivienda Móvil
com.todo1.mobileBancolombia App Personas
com.transferwise.androidTransferWise Money Transfer
com.twitter.android.liteTwitter Lite
com.ubercabUber - Request a ride
com.ubercab.eatsUber Eats: Food Delivery
com.unicreditMobile Banking UniCredit
com.unionbank.ecommerce.mobile.androidUnion Bank Mobile Banking
com.unocoin.unocoinwalletUnocoin Wallet
com.usaa.mobile.android.usaaUSAA Mobile
com.usbank.mobilebankingU.S. Bank - Inspired by customers
com.uy.itau.appitauuypfItaú Uruguay
com.vakifbank.mobileVakıfBank Mobil Bankacılık
com.viber.voipViber Messenger - Messages, Group Chats & Calls
com.westernunion.moneytransferr3app.esWestern Union ES - Send Money Transfers Quickly
com.wf.wellsfargomobileWells Fargo Mobile
com.whatsappWhatsApp Messenger
com.whatsapp.w4bWhatsApp Business
com.woodforestWoodforest Mobile Banking
com.wrx.wazirxWazirX - Buy Sell Bitcoin & Other Cryptocurrencies
com.yahoo.mobile.client.android.mailYahoo Mail – Organized Email
com.ykb.androidYapı Kredi Mobile
com.ziraat.ziraatmobilZiraat Mobile
com.zoluxiones.officebankingBanco Santander Perú S.A.
cz.csob.smartbankingČSOB Smartbanking
de.adesso_mobile.secureapp.netbankSecureApp netbank
de.comdirect.androidcomdirect mobile App
de.commerzbanking.mobilCommerzbank Banking - The app at your side
de.fiducia.smartphone.android.banking.vrVR Banking Classic
de.ingdiba.bankingappING Banking to go
de.mobile.android.appmobile.de – Germany‘s largest car market
de.number26.androidN26 — The Mobile Bank
de.postbank.finanzassistentPostbank Finanzassistent
de.santander.presentationSantander Banking
enterprise.com.anz.shieldANZ Shield
es.bancosantander.empresasSantander Empresas
es.caixagalicia.activamovilABANCA- Banca Móvil
es.caixageral.caixageralappBanco Caixa Geral España
es.evobanco.bancamovilEVO Banco móvil
es.liberbank.cajasturappBanca Digital Liberbank
es.openbank.mobileOpenbank – banca móvil
eu.atlantico.bancoatlanticoappMY ATLANTICO
eu.inmite.prj.kb.mobilbankMobilni Banka
eu.netinfo.colpatria.systemScotiabank Colpatria
eu.unicreditgroup.hvbapptanHVB Mobile Banking
finansbank.enparaEnpara.com Cep Şubesi
fr.banquepopulaire.cyberplusBanque Populaire
fr.creditagricole.androidappMa Banque
fr.laposte.lapostemobileLa Poste - Services Postaux
fr.lcl.android.customerareaMes Comptes - LCL
fr.oney.mobile.mescomptesOney France
gr.winbank.mobilenextWinbank Mobile
gt.com.bi.bienlineaBi en Línea
hu.bb.mobilappBudapest Bank Mobil App
hu.cardinal.cib.mobilappCIB Business Online
hu.cardinal.erste.mobilappErste Business MobilBank
hu.mkb.mobilappMKB Mobilalkalmazás
io.cex.app.prodCEX.IO Cryptocurrency Exchange
io.ethos.universalwalletEthos Universal Wallet
it.carigeCarige Mobile
it.copergmps.rt.pf.android.sp.bmpsBanca MPS
it.ingdirect.appING Italia
it.nogood.containerUBI Banca
jp.co.rakuten_bank.rakutenbank楽天銀行 -個人のお客様向けアプリ
jp.coincheck.androidBitcoin Wallet Coincheck
ktbcs.netbankKrungthai NEXT
ma.gbp.pocketbankPocket Bank
mbanking.NBGNBG Mobile Banking
mobi.societegenerale.mobile.lappliL’Appli Société Générale
mx.bancosantander.supermovilSantander móvil
my.com.hsbc.hsbcmalaysiaHSBC Malaysia
my.com.maybank2u.m2umobileMaybank2u MY
net.bnpparibas.mescomptesMes Comptes BNP Paribas
net.inverline.bancosabadell.officelocator.androidBanco Sabadell App. Your mobile bank
nz.co.asb.asbmobileASB Mobile Banking
org.banking.bom.businessconnectBank of Melbourne Business App
org.banking.bsa.businessconnectBankSA Business App
org.banking.stg.businessconnectSt.George Business App
org.banksa.bankBankSA Mobile Banking
org.bom.bankBank of Melbourne Mobile Banking
org.microemu.android.model.common.VTUserApplicationLINKMBLink Celular
org.stgeorge.bankSt.George Mobile Banking
org.toshiCoinbase Wallet — Crypto Wallet & DApp Browser
org.westpac.bankWestpac Mobile Banking
org.westpac.colWestpac Corporate Mobile
pe.com.interbank.mobilebankingInterbank APP
pegasus.project.ebh.mobile.android.bundle.mobilebankGeorge Magyarország
piuk.blockchain.androidBlockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum
pl.aliorbank.aibAlior Mobile
pl.allegroAllegro - convenient and secure online shopping
pl.bphBusinessPro Lite
pl.bps.bankowoscmobilnaBPS Mobilnie
pl.bzwbk.bzwbk24Santander mobile
pl.bzwbk.ibiznes24iBiznes24 mobile
pl.ceneoCeneo - zakupy i promocje
pl.com.rossmann.centaurosRossmann PL
pl.eurobank2eurobank mobile 2.0
pl.ideabank.mobilebankingIdea Bank PL
pl.ifirma.ifirmafakturyIFIRMA - Darmowy Program do Faktur
pl.ing.mojeingMoje ING mobile
pl.mbankmBank PL
pl.millennium.corpAppBank Millennium for Companies
pl.nestbank.nestbankNest Bank nowy
pl.noblebank.mobileNoble Mobile
pl.orange.mojeorangeMój Orange
pl.pkobp.ipkobiznesiPKO biznes
pl.raiffeisen.nfcMobilny Portfel
pt.bancobpi.mobile.fiabilizacaoBPI APP
pt.novobanco.nbappNB smart app
pt.santandertotta.mobileparticularesSantander Particulares
ro.btrl.mobileBanca Transilvania
tr.com.hsbc.hsbcturkeyHSBC Turkey
tr.com.sekerbilisim.mbankŞEKER MOBİL ŞUBE
tsb.mobilebankingTSB Bank Mobile Banking
uk.co.hsbc.hsbcukmobilebankingHSBC UK Mobile Banking
uk.co.mbna.cardservices.androidMBNA - Card Services App
uk.co.metrobankonline.mobile.android.productionMetro Bank
uk.co.santander.santanderUKSantander Mobile Banking
uk.co.tescomobile.androidTesco Mobile
uk.co.tsb.newmobilebankTSB Mobile Banking
uy.brouApp Móvil del Banco República
uy.com.brou.tokenBROU Llave Digital
wit.android.bcpBankingApp.millenniumPLBank Millennium
Пожалуйста , Вход или Регистрация чтобы увидеть ссылку!

Пожалуйста , Вход или Регистрация чтобы увидеть ссылку!
Последнее редактирование:
Сверху Снизу