A significant security breach has exposed the complete source code of ERMAC V3.0, a sophisticated banking trojan that targets over 700 financial applications worldwide.
The leak, discovered by cybersecurity firm Hunt.io in March 2024, was made possible by a surprisingly weak default password: “changemeplease.”
The discovery occurred when Hunt.io researchers identified an open directory containing the complete ERMAC V3.0 source code archive.
This rare exposure of an active Malware-as-a-Service platform provides unprecedented insight into one of the most advanced mobile banking trojans currently operating in the wild.
ERMAC has undergone significant evolution since its inception. Early versions were built using leaked Cerberus source code, while version 2.0 incorporated substantial portions of the Hook botnet’s codebase by late 2023.
The newly uncovered version 3.0 represents a major advancement, expanding the malware’s capabilities to target more than 700 banking, shopping, and cryptocurrency applications through sophisticated form injection techniques.
The leaked source code revealed a comprehensive malware ecosystem consisting of five main components: a PHP and Laravel-based backend, a React-based frontend panel, a Golang exfiltration server, Docker configuration files, and an Android builder panel for creating customized malware variants.
Critical Security Vulnerabilities
Analysis of the source code uncovered multiple critical security flaws that could be exploited to disrupt ERMAC operations.
These include a hardcoded JWT secret token, static admin bearer token, and most notably, default root credentials using the password “changemeplease.” Additionally, the system allows open account registration directly through its API, potentially granting unauthorized access to the admin panel.
Using advanced search capabilities, Hunt.io researchers identified multiple active ERMAC infrastructure components still operating online.
The investigation revealed four unique command-and-control servers and four exfiltration servers using the distinctive authentication header “LOGIN | ERMAC.”
The malware demonstrates sophisticated operational security measures, including AES-CBC encrypted communications and geographic restrictions that prevent execution in Commonwealth of Independent States countries.
Before installation, ERMAC verifies it’s not running in an emulator environment and requests extensive device permissions for SMS access, background operation, and process termination capabilities.
This source code leak provides cybersecurity professionals with valuable intelligence for developing countermeasures against ERMAC campaigns. The exposed infrastructure details and operational vulnerabilities offer concrete opportunities to disrupt ongoing malicious activities and protect potential victims.
The ERMAC V3.0 leak underscores the continued evolution of mobile banking trojans and highlights how weak security practices, even among cybercriminals, can expose sophisticated malicious operations to security researchers and law enforcement agencies.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
