ERMAC is a code-wise inheritor of a well-known malware Cerberus. It uses almost identical data structures when communicating with the C2, it uses the same string data, et cetera.
When we first encountered ERMAC samples, we thought it to be just another variant of Cerberus since the code was leaked several times and a lot of actors try to build their own malware based on its sources. However, the admin panel login page clearly states
Compared to the original Cerberus, ERMAC uses different encryption scheme in communication with the C2: the data is encrypted with AES-128-CBC, and prepended with double word containing the length of the encoded data
Commands list
The commands ERMAC receives and processes, are almost identical to the latest Cerberus commands. A couple of commands are added that can clear the cache of the specified application and steal device accounts (new commands bold).
| Command | Description |
|---|---|
| push | Shows a push notification (clicking on the notification will result in launching specified app) |
| startAuthenticator2 | Launches the Google Authenticator application |
| startAdmin | Triggers request for admin privileges |
| startApp | Starts the specified application |
| getInstallApps | Gets the list of applications installed on the device |
| getContacts | Gets the contact names and phone numbers from the address book of the infected device |
| deleteApplication | Triggers the removal of the specified application |
| forwardCall | Enables call forwarding to the specified number |
| sendSms | Sends a text message with specified text from the infected device to the specified phone number |
| SendSMSALL | Sends text messages with specified text from the infected device to all contacts of the infected device |
| startInject | Triggers the overlay attack against the specified application |
| startUssd | Executes the specified USSD code |
| openUrl | Opens the specified URL in the WebView |
| getSMS | Gets all text messages from the infected device |
| killMe | Triggers the kill switch for the bot |
| updateModule | Updates the payload module |
| updateInjectAndListApps | Triggers update of the target list |
| clearCash/clearCashe | Triggers opening specified application details |
| getAccounts/logAccounts | Triggers stealing a list of the accounts on the device |
What do you think?
It is nice to know your opinion. Leave a comment.