When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.

To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the actor maintaining Ermac. While a new version of the malware has been released, we will focus on the original version.

Gaining insight into the backstage operations of the malware is not simply a case of reverse engineering malware samples that were released into the wild. Once that reverse engineering was complete, however, unique and interesting aspects of the inner workings of the malware were revealed.

The Cerberus connection

As a Cerberus descendent, Ermac shares the same source code and fraud capabilities, including stealing a user’s bank credentials and second-factor authentication (2FA) messages that are delivered to the user via SMS or notification.

Here is an example of the shared preferences file created by Cerberus and Ermac. We can easily see that Ermac malware has the same elements as Cerberus, and there are also new entries representing new capabilities in Ermac.

Figure 1: Cerberus shared preference.

Figure 2: Ermac shared preference.

How Ermac is unique

The capabilities of Ermac were already discussed in depth. However, it is worth mentioning that Ermac malware contains a different packer than Cerberus. The Ermac packer is open source and can be found online.

This is yet more evidence that Ermac could be a new operator and that the threat actor is actively maintaining the leaked Cerberus code and constantly evolving Ermac’s code base.

Figure 3: This is the first page presented once connecting to the Ermac command and control server.

A deep dive into the Ermac command and control server (C&C) user interface (UI) reveals the differences between Cerberus and Ermac and provides a unique glimpse into the Ermac functionality, monetization scheme and features under development. IBM Trusteer researchers have discovered two new beta capabilities in the Ermac malware: ransomware and a virtual private network (VPN) connection.

Wide-ranging capabilities

These images taken from the C&C demonstrate Ermac’s different capabilities.

Figure 4: ERMAC C&C bot management page.

The data that the C&C manages is organized in a structured table with multiple columns.

The first column shows the ID that is generated for each bot. We can also see the different actions and device modes: for example, if the user is currently watching the screen, whether different models are loaded and so on.

The next column stores information about the victim’s device and operating system version.

Column three stores different tags regarding the bot’s status; for example, “favorite,” “blacklist” and “trash.”

The next column is called GEO and stores information about the country and device location of the bot.

Next, there is information regarding the malware installation date and time and the last time the bot was successfully connected to the C&C.

The “injection” column contains the different applications on which the malware can perform overlay attacks.

The “action” column lists the different actions the C&C operator can command the bot to perform on the victim’s device. These actions include open inject, forward calls, clear application data and more (see Figures 8-13).

The logs column contains the raw data exfiltrated from the victim’s device, including the contact list, 2FA, list of installed applications, application notifications, keystrokes log and more.

Figure 5: Ermac capabilities.

One of the most interesting screens is the “Auto command,” which is still in beta mode. On the screen, we can see capabilities like sending SMS, opening inject (overlay screen), grabbing the contacts list and the killbot, which is an Ermac self-destruct switch. We can also see unique commands such as “Clear app data” and “Get Accounts.”

Visibility to the C&C exposes new commands still under development: “beta Ransomware” and “beta Set bot VPN.”

Figure 6: Ermac events.

Here, we can see Ermac events. All activities of the bots can be seen in this figure.

Figure 7: Devices list screen (in development).

Another capability that is still under development is the ability to upload or download files from the bot itself. In production, this allows the bot operator to have more control over the victim’s machine and opens the door to new attack tactics.

Figure 8: Bot commands.

The malware operator can choose any of the infected devices, initiate a call from that device and even pick which SIM to use for the call. The “lock screen” checkbox can be turned on or off. While on, Ermac shows the victim a fake screen during the entire duration of the call, thus hiding the ongoing call from the victim while preventing any other use of the device.

 

Figure 9: Calling command.

Figure 10: SMS command.

The clear cache command can be used to clear all the data of an app. When the malware clears the data, it also clears the cache.

 

Figure 11: Clear Cache command.

The fraudster can lure victims to open their bank application by sending a push notification with a text from the “bank.”

Figure 12: Send Push command.

The fraudsters can steal the seed phrase from the user’s device used for the crypto wallet and later use it to log in to the victim’s account without having to prove their identity.

Figure 13: Get Seed Phrase command.

In the C&C user management panel, we can see all the users and roles that exist in the system. This demonstrates that Ermac is built to be operated in a fraud-as-a-service (FaaS) model. The Ermac operator, “root,” can create a new user and password from this screen that can later be used by a fraudster client to manage their bots by logging into the C&C using this new user.

Figure 14: C&C user management panel.

Figure 15: C&C user management panel “Create New User” screen.

When the admin creates a new user, they can pick a token (password) for the user to log in with and can assign a role to the user.

Figure 16: C&C user management panel “Create New User” screen defines a role.

Figure 17: Permissions screen.

Each role has its own permission profile that is managed on the permissions screen.

Fraud as a service continues to evolve

Although Ermac’s risk is very similar to Cerberus, Ermac has some new capabilities that have not been seen before. This is one of the more sophisticated Cerberus mutants because of the new capabilities that it offers, such as “ransomware” and “set bot VPN.”

We expect to see more mutations with new capabilities using Cerberus’s leaked code. It is interesting and rare to have a look from “the other side” of malware, as we have done in this article, to see the C&C and how fraudsters manage and control bots all over the world.

 IBM Trusteer researchers will continue to monitor changes in the malware and keep you updated.

The author would like to thank Nethanella Messer and James Kilner for their contribution to this article.

More from Risk Management

What can businesses learn from the rise of cyber espionage?

4 min read - It’s not just government organizations that need to worry about cyber espionage campaigns — the entire business world is also a target.Multipolarity has been a defining trend in geopolitics in recent years. Rivalries between the world’s great powers continue to test the limits of globalism, resulting in growing disruption to international supply chains and economics. Global political risk has reached its highest level in decades, and even though corporate attention to geopolitics has dropped since peaking in 2022, the impact…

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today