{
	"id": "5f83a3da-7ef0-4797-ba07-fd6264fea1f8",
	"created_at": "2026-04-06T03:37:42.66074Z",
	"updated_at": "2026-04-10T13:12:46.105147Z",
	"deleted_at": null,
	"sha1_hash": "ab5c812890b0d9e3be8fd3283d31b32a6c2ad467",
	"title": "Ermac malware: the other side of the code",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6109927,
	"plain_text": "Ermac malware: the other side of the code\r\nBy Ben Wagner\r\nPublished: 2024-01-29 · Archived: 2026-04-06 02:50:55 UTC\r\nAuthors\r\nBen Wagner\r\nMobile Security Researcher\r\nIBM Security\r\nWhen the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus\r\nmutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes\r\nto the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac\r\n(also known as Hook) — in late September of 2022.\r\nTo better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes\r\noperations of the actor maintaining Ermac. While a new version of the malware has been released, we will focus\r\non the original version.\r\nGaining insight into the backstage operations of the malware is not simply a case of reverse engineering malware\r\nsamples that were released into the wild. Once that reverse engineering was complete, however, unique and\r\ninteresting aspects of the inner workings of the malware were revealed.\r\nAs a Cerberus descendent, Ermac shares the same source code and fraud capabilities, including stealing a user’s\r\nbank credentials and second-factor authentication (2FA) messages that are delivered to the user via SMS or\r\nnotification.\r\nHere is an example of the shared preferences file created by Cerberus and Ermac. We can easily see that Ermac\r\nmalware has the same elements as Cerberus, and there are also new entries representing new capabilities in\r\nErmac.\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 1 of 18\n\nFigure 1: Cerberus shared preference.\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 2 of 18\n\nFigure 2: Ermac shared preference.\r\nThe capabilities of Ermac were already discussed in depth. However, it is worth mentioning that Ermac malware\r\ncontains than Cerberus. The Ermac packer is open source and can be found online.\r\nThis is yet more evidence that Ermac could be a new operator and that the threat actor is actively maintaining the\r\nleaked Cerberus code and constantly evolving Ermac’s code base.\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 3 of 18\n\nFigure 3: This is the first page presented once connecting to the Ermac command and control server.\r\nA deep dive into the Ermac command and control server (C\u0026C) user interface (UI) reveals the differences\r\nbetween Cerberus and Ermac and provides a unique glimpse into the Ermac functionality, monetization scheme\r\nand features under development. IBM Trusteer researchers have discovered two new beta capabilities in the Ermac\r\nmalware: ransomware and a virtual private network (VPN) connection.\r\nThe latest tech news, backed by expert insights\r\nStay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with\r\nthe Think Newsletter, delivered twice weekly. See the IBM Privacy Statement.\r\nThese images taken from the C\u0026C demonstrate Ermac’s different capabilities.\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 4 of 18\n\nFigure 4: ERMAC C\u0026C bot management page.\r\nThe data that the C\u0026C manages is organized in a structured table with multiple columns.\r\nThe first column shows the ID that is generated for each bot. We can also see the different actions and device\r\nmodes: for example, if the user is currently watching the screen, whether different models are loaded and so on.\r\nThe next column stores information about the victim’s device and operating system version.\r\nColumn three stores different tags regarding the bot’s status; for example, “favorite,” “blacklist” and “trash.”\r\nThe next column is called GEO and stores information about the country and device location of the bot.\r\nNext, there is information regarding the malware installation date and time and the last time the bot was\r\nsuccessfully connected to the C\u0026C.\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 5 of 18\n\nThe “injection” column contains the different applications on which the malware can perform overlay attacks.\r\nThe “action” column lists the different actions the C\u0026C operator can command the bot to perform on the victim’s\r\ndevice. These actions include open inject, forward calls, clear application data and more (see Figures 8-13).\r\nThe logs column contains the raw data exfiltrated from the victim’s device, including the contact list, 2FA, list of\r\ninstalled applications, application notifications, keystrokes log and more.\r\nFigure 5: Ermac capabilities.\r\nOne of the most interesting screens is the “Auto command,” which is still in beta mode. On the screen, we can see\r\ncapabilities like sending SMS, opening inject (overlay screen), grabbing the contacts list and the killbot, which is\r\nan Ermac self-destruct switch. We can also see unique commands such as “Clear app data” and “Get Accounts.”\r\nVisibility to the C\u0026C exposes new commands still under development: “beta Ransomware” and “beta Set bot\r\nVPN.”\r\nFigure 6: Ermac events.\r\nHere, we can see Ermac events. All activities of the bots can be seen in this figure.\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 6 of 18\n\nFigure 7: Devices list screen (in development).\r\nAnother capability that is still under development is the ability to upload or download files from the bot itself. In\r\nproduction, this allows the bot operator to have more control over the victim’s machine and opens the door to new\r\nattack tactics.\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 7 of 18\n\nFigure 8: Bot commands.\r\nThe malware operator can choose any of the infected devices, initiate a call from that device and even pick which\r\nSIM to use for the call. The “lock screen” checkbox can be turned on or off. While on, Ermac shows the victim a\r\nfake screen during the entire duration of the call, thus hiding the ongoing call from the victim while preventing\r\nany other use of the device.\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 8 of 18\n\nFigure 9: Calling command.\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 9 of 18\n\nFigure 10: SMS command.\r\nThe clear cache command can be used to clear all the data of an app. When the malware clears the data, it also\r\nclears the cache.\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 10 of 18\n\nFigure 11: Clear Cache command.\r\nThe fraudster can lure victims to open their bank application by sending a push notification with a text from the\r\n“bank.”\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 11 of 18\n\nFigure 12: Send Push command.\r\nThe fraudsters can steal the seed phrase from the user’s device used for the crypto wallet and later use it to log in\r\nto the victim’s account without having to prove their identity.\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 12 of 18\n\nFigure 13: Get Seed Phrase command.\r\nIn the C\u0026C user management panel, we can see all the users and roles that exist in the system. This demonstrates\r\nthat Ermac is built to be operated in a fraud-as-a-service (FaaS) model. The Ermac operator, “root,” can create a\r\nnew user and password from this screen that can later be used by a fraudster client to manage their bots by logging\r\ninto the C\u0026C using this new user.\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 13 of 18\n\nFigure 14: C\u0026C user management panel.\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 14 of 18\n\nFigure 15: C\u0026C user management panel “Create New User” screen.\r\nWhen the admin creates a new user, they can pick a token (password) for the user to log in with and can assign a\r\nrole to the user.\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 15 of 18\n\nFigure 16: C\u0026C user management panel “Create New User” screen defines a role.\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 16 of 18\n\nFigure 17: Permissions screen.\r\nEach role has its own permission profile that is managed on the permissions screen.\r\nAlthough Ermac’s risk is very similar to Cerberus, Ermac has some new capabilities that have not been seen\r\nbefore. This is one of the more sophisticated Cerberus mutants because of the new capabilities that it offers, such\r\nas “ransomware” and “set bot VPN.”\r\nWe expect to see more mutations with new capabilities using Cerberus’s leaked code. It is interesting and rare to\r\nhave a look from “the other side” of malware, as we have done in this article, to see the C\u0026C and how fraudsters\r\nmanage and control bots all over the world.\r\n IBM Trusteer researchers will continue to monitor changes in the malware and keep you updated.\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 17 of 18\n\nThe author would like to thank Nethanella Messer and James Kilner for their contribution to this article.\r\nSource: https://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nhttps://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securityintelligence.com/posts/ermac-malware-the-other-side-of-the-code/"
	],
	"report_names": [
		"ermac-malware-the-other-side-of-the-code"
	],
	"threat_actors": [],
	"ts_created_at": 1775446662,
	"ts_updated_at": 1775826766,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ab5c812890b0d9e3be8fd3283d31b32a6c2ad467.pdf",
		"text": "https://archive.orkl.eu/ab5c812890b0d9e3be8fd3283d31b32a6c2ad467.txt",
		"img": "https://archive.orkl.eu/ab5c812890b0d9e3be8fd3283d31b32a6c2ad467.jpg"
	}
}