Labels

ERMAC v3.0 Banking Malware — Source Code Exposed via Weak Password “changemeplease” By CyberDudeBivash — your daily dose of ruthless, engineering-grade threat intel

 


Executive summary

Researchers obtained the full ERMAC v3.0 Android banking trojan source code after finding an exposed archive in an open directory. The leak reveals a complete MaaS (malware-as-a-service) stack—PHP/Laravel C2 backend, React operator panel, a Golang exfil server, Docker files, and the Android builder—plus embarrassing hard-coded secrets, including root credentials with the password changemeplease, a hard-coded JWT secret, and tenant-wide bearer tokens. The campaign targets 700+ banking/crypto/shopping apps using overlay (“inject”) pages and AES-CBC communications. The exposure gives defenders concrete pivots (cookies, routes, build artifacts, and IPs) to track and disrupt active infrastructure. The Hacker NewsHunt

What happened (timeline & discovery)

  • Mar 6, 2024 — An open directory on 141.164.62[.]236:443 hosted Ermac 3.0.zip with the full codebase (backend, frontend, golang, docker, builder). Hunt

  • Aug 14–16, 2025 — Public write-ups detail the leak and its weaknesses; outlets summarize key takeaways for defenders. HuntThe Hacker News

What leaked (and why it matters)

Complete stack & routes. The backend exposes rich operator APIs (e.g., .../injects/*, .../sendBotsCommand, .../accounts/*) and uses the session cookie ermac_session—a direct pivot to find live panels by signature hunting. Hunt

Hard-coded secrets & weak defaults. Analysis highlights:

  • A hard-coded JWT secret and static admin bearer token.

  • Default root creds with password changemeplease.

  • Open account registration on the admin panel.
    All three enable trivial panel takeover and telemetry collection against active crews. HuntCyber Security News

Capabilities uplift in v3.0. Compared with earlier ERMAC/Hook strains, v3.0 expands overlay injects to 700+ apps, adds an improved panel, a new Android backdoor (Kotlin), and AES-CBC comms. The Hacker News

Lineage context. ERMAC descends from the Cerberus codebase; later branches overlap with Hook variants—useful for clustering families and re-using detections. The Hacker Newsnccgroup.com

How ERMAC v3.0 attacks work (operator view)

  1. Provision: Spin up the leaked backend + panel + exfil server (Go) from Docker or scripts. Hunt

  2. Build: Use the builder to generate an APK with campaign config (app name, C2 URL, keys). The Hacker News

  3. Delivery: Side-load, fake updates, SEO/malvertising, or smishing to install the APK.

  4. Steal: Abuse Accessibility and overlays to present look-alike login screens for 700+ apps, exfiltrate entered creds/SMS/2FA. The Hacker News

  5. Operate: Panel commands for device control, SMS grabbing, call forwarding, file ops; data funnels to the Go exfil server over AES-CBC. The Hacker News

Why this leak is a defender’s gift

  • Attribution & takedown: The leak’s routes, cookies, and code strings (e.g., ermac_session) are search beacons for mapping live C2s/panels. Hunt

  • Credential re-use: changemeplease and other defaults historically reappear across actor infra—test them (legally) during coordinated takedowns. HuntCyber Security News

  • Hunting shortcuts: Outlets published host/network observables (IPs, hashes) and note that Hunt.io shared YARA / SQL pivots to seed hunts. Cyber Security News

Indicators & pivots (selected)

Use these as seeds; verify in your intel pipeline.

  • Cookie signature: ermac_session in HTTP responses → likely ERMAC panel. Hunt

  • Archive/hash (source): Ermac 3.0.zip — SHA-256 175d4a...992aaa. Go exfil binary SHA-256 8c81ce...e8d545. Hunt

  • Example infra from reporting: Panels/C2/exfil servers observed across multiple ASNs; reporting includes entries like 43.160.253[.]145:80/8089, 91.92.46[.]12:80, and the open directory host 141.164.62[.]236. (Validate freshness before blocking.) Cyber Security News

Detection engineering (practical, copy-paste ready)

1) Internet-wide & perimeter hunts

  • HTTP signature search: Look for Set-Cookie: ermac_session or panel routes (/api/v1/injects/*, /api/v1/sendBotsCommand). (Edge IDS/WAF logs, passive HTTP sensors.) Hunt

  • TLS/HTTP fingerprints: Cluster by common panel assets and route names from the leak to enumerate sibling hosts. Hunt

2) Android fleet (MDM/EDR/Play console)

  • Alert on unknown APKs with Accessibility + SYSTEM_ALERT_WINDOW + RECEIVE_SMS/READ_SMS permission triad—classic overlay banker profile.

  • Hunt for dynamic overlay usage against finance/crypto app package names (from the leaked inject list). The Hacker News

  • Network egress from managed devices to the IPs/ports above; inspect for AES-CBC beacons matching campaign cadence. The Hacker NewsCyber Security News

3) Fraud/SOC correlation

  • Tie new device logins and SIM-swap reports with recent APK installs or SMS-forwarding anomalies; bankers frequently stage BEC-style drain after overlay capture.

Mitigation & hardening (priority-ordered)

A. For enterprises (BYOD/COPE Android)

  1. Block sideloading in MDM; enforce Google Play/Play Integrity API.

  2. Enforce per-app VPN and DNS sinkhole for finance apps; block connections to known ERMAC infra. Cyber Security News

  3. Require latest Play Protect and Android security patch levels; quarantine devices requesting Accessibility for non-assistive reasons.

  4. Add overlay protection to critical internal apps (detect obscured windows, FLAG_SECURE, challenge on focus change).

B. For banks/fintech app teams

  • Overlay hardening: Enforce Secure Flag, detect tapjacking, verify in-app focus, and server-side strong device fingerprinting before authorizing high-risk actions.

  • Out-of-band MFA (push with number/phrase match), per-transaction risk controls, and session-binding to device attestation.

  • Threat intel ingestion: Track ERMAC inject package targets; test against your app builds. The Hacker News

C. For telcos & payment partners

  • Prioritize SIM-swap monitoring, rapid number-porting holds, and SMS-interception risk models for flagged accounts.

Incident response playbook (ERMAC suspected)

Hour 0–2Contain

  • Block observed ERMAC endpoints in DNS/Firewall/CDN; revoke sessions of impacted users; force in-app re-auth with device attestation.

  • For managed devices: isolate and collect APK + logs.

Hour 2–12Scope

  • Pivot from victim reports to overlay telemetry (crash logs, accessibility service usage), then cross-check with bank fraud events.

  • Enumerate infra by hunting ermac_session and leaked routes across perimeter telemetry; share hits with your ISP/CSIRT. Hunt

Hour 12–48Eradicate & harden

  • Purge APKs estate-wide via MDM; rotate credentials for affected users; enable transaction step-up.

  • Add temporary geo/velocity blocks and lower auth trust for impacted cohorts.

MITRE ATT&CK® mapping (mobile & enterprise)

  • Initial access: Malicious/repurposed app (T1475), SMS phishing (T1454)

  • Credential access: Overlay capture & keylogging (T1417), SMS/2FA theft (T1411)

  • Collection/Exfil: Exfil via C2 channel (T1409) with AES-CBC comms The Hacker News

  • Defense evasion: Accessibility abuse (T1542), packer/obfuscation, panel-side operator controls

  • Impact: Fraudulent transactions, account takeover

Key takeaways for the board

  • Exposure created defender leverage. Hard-coded secrets (changemeplease, JWT/bearer) and stable routes/cookies are reliable pivots to find and disable live infra. HuntCyber Security News

  • Mobile fraud is supply-chain-like. ERMAC’s builder + panel commoditize campaigns; treat it like SaaS for crime and block at platform edges. The Hacker News

  • Speed matters. Convert today’s IOCs into preventive controls (MDM, WAF/CDN, DNS, app attestation) before actors rotate infra.

Sources & further reading

  • Hunt.io — ERMAC V3.0: Full Source Code Leak & Infrastructure Analysis (Aug 14, 2025). Details on open directory, stack, routes, and changemeplease default. Hunt

  • The Hacker News — ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure (Aug 16, 2025). High-level summary and capability uplift. The Hacker News

  • CyberSecurityNews — ERMAC v3.0 Source Code Exposed via Weak Password ‘changemeplease’ (Aug 16, 2025). Mentions weak root password and published observables. Cyber Security News

  • NCC Group — From ERMAC to Hook (Sept 11, 2023). Family lineage & overlap context. nccgroup.com

Author: CyberDudeBivash
Powered by: CyberDudeBivash
Links: cyberdudebivash.com | cyberbivash.blogspot.com
Hashtags: #CyberDudeBivash #ERMAC #AndroidMalware #BankingTrojan #OverlayAttacks #MobileSecurity #ThreatIntel #MaaS #DFIR #AppSec

Labels:

Comments

Post a Comment