When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.
To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the actor maintaining Ermac. While a new version of the malware has been released, we will focus on the original version.
The Cerberus connection
As a Cerberus descendent, Ermac shares the same source code and fraud capabilities, including stealing a user’s bank credentials and second-factor authentication (2FA) messages that are delivered to the user via SMS or notification.
Here is an example of the shared preferences file created by Cerberus and Ermac. We can easily see that Ermac malware has the same elements as Cerberus, and there are also new entries representing new capabilities in Ermac.
Figure 1: Cerberus shared preference.
Figure 2: Ermac shared preference.
How Ermac is unique
The capabilities of Ermac were already discussed in dept ..
Support the originator by clicking the read the rest link below.
