Hunt.io Exposes and Analyzes ERMAC V3.0 Banking Trojan Full Source Code Leak

MITRE Techniques

• [T1204] User Execution – ERMAC is executed through user interaction (“ERMAC is executed through user interaction”).
• [T1059] Command and Scripting Interpreter – Uses WebView components to execute remote JavaScript from its C2 server for data collection (“ERMAC uses WebView components to execute remote JavaScript from its C2 server, for data collection.”).
• [T1053] Scheduled Task/Job – Uses StartReceiver to schedule callbacks to maintain persistence (“Uses StartReceiver to schedule callbacks to maintain persistence.”).
• [T1543] Create or Modify System Process (Service) – Uses ActivityManager to ensure service stays online (“ERMAC uses ActivityManager to ensure service stays online.”).
• [T1412] Mobile SMS Control – Uses Android intents to intercept and control SMS messages (“Uses Android intents to intercept and control SMS messages.”).
• [T1548] Abuse Elevation Control Mechanism (Elevated Execution with Prompt) – Requests Device Administrator privileges to lock the screen and prevent uninstallation (“Requests Device Administrator privileges to lock the screen and prevent uninstallation.”).
• [T1048] Encrypted Channel – All communication with the C2 server is encrypted using AES (“All communication with the C2 server is encrypted using AES, which prevents network-level detection of commands and exfiltrated data.”).
• [T1036] Masquerading – Deletes its launcher icon after first run to hide presence (“ERMAC deletes its launcher icon after the first run to hide its presence on the device.”).
• [T1027] Obfuscated Files or Information – Strings and variable names are obfuscated with Russian text and Base64 to hinder static analysis (“Strings and variable names are obfuscated with Russian text and Base64 encoding to hinder static analysis.”).
• [T1497] Virtualization/Sandbox Evasion – Checks for emulation to prevent analysis (“Checks for emulation to prevent analysis.”).
• [T1499] Geofencing – Blocks execution in CIS countries to avoid prosecution (“Blocks [ua][ru][by][tj][uz][tm][az][am][kz][kg][md] from running the malware.”).
• [T1405] Disable or Modify System Firewall (via Accessibility) – Uses Accessibility Services to disable Google Play Protect (“Using Accessibility Services, ERMAC disables Google Play Protect to reduce the likelihood of being detected and removed.”).
• [T1056] Input Capture (Keylogging) – Includes a keylogger to capture user input across applications (“Includes a keylogger functionality to capture user input across all applications.”).
• [T1598] GUI Input Capture (Form Injection) – Utilizes form injection overlays to capture credentials and form data (“Utilizes form injection to capture form data from Android applications.”).
• [T1402] Access Notification – Intercepts incoming SMS to steal 2FA codes (“Intercepts incoming SMS messages to steal sensitive information like two-factor authentication (2FA) codes.”).
• [T1087] Account Discovery – Gathers a list of all user accounts on the device (“Gathers a list of all user accounts on the device.”).
• [T1083] File and Directory Discovery – Built-in file manager allows browsing and downloading files (“A built-in file manager module allows the attacker to browse the device’s file system and download files.”).
• [T1113] Screen Capture / Video Capture – Can remotely take photos using the front camera (“It can remotely take photos using the front camera without the user’s knowledge.”).
• [T1071] Application Layer Protocol – Communicates with its C2 server over HTTP/S (“Communicates with its C2 server over HTTP/S.”).
• [T1041] Exfiltration Over C2 Channel – All collected data is sent to the attacker using the primary C2 channel (“All collected data, including credentials, contacts, and files, is sent to the attacker using the primary C2 channel.”).