This unique insight into an active malware-as-a-service platform offers a valuable understanding of modern cybercriminal operations and highlights critical vulnerabilities that could assist defenders in combating ongoing threats.
In March 2024, Hunt.io’s research team discovered an exposed server containing the complete ERMAC V3.0 source code through their AttackCapture
The leaked archive contained five distinct components: a PHP-based backend server, a React frontend panel, a Golang exfiltration server, Docker configuration files, and an Android application builder.
This comprehensive leak represents one of the most detailed exposures of an active banking trojan’s infrastructure in recent years.
The discovery has significant implications for cybersecurity professionals worldwide, as complete source code leaks of operational malware are broken.
Security researchers can now understand exactly how modern banking trojans operate, communicate with command-and-control servers, and steal sensitive financial information from mobile devices.
ERMAC V3.0 demonstrates remarkable sophistication in its design and capabilities. The malware targets more than 700 banking, shopping, and cryptocurrency applications using advanced form injection techniques.
Unlike its predecessors, which were based on leaked Cerberus code, version 3.0 represents a significant evolution with a completely rewritten infrastructure and enhanced data theft capabilities.
The Trojan uses AES-CBC encryption for all communications between infected devices and its command-and-control servers, making detection more challenging for traditional security tools.
The malware also includes geographic restrictions, automatically uninstalling itself if detected in Commonwealth of Independent States countries or emulator environments, suggesting the operators’ attempts to avoid prosecution in certain regions.
Key Technical Capabilities:
Hunt.io’s analysis revealed several critical vulnerabilities within ERMAC’s infrastructure that security researchers and law enforcement could exploit.
These include hardcoded JWT tokens, default root credentials with the password “changemeplease,” and the ability for anyone to register administrator accounts through the API without proper authentication controls.
These security flaws represent significant operational risks for cybercriminals using the platform and provide opportunities for defenders to identify and disrupt active ERMAC operations.
The researchers successfully used these indicators to locate additional active ERMAC infrastructure, including multiple command-and-control panels and data exfiltration servers currently operating online.
The research team has developed specific detection methods and provided actionable intelligence for cybersecurity professionals.
They created YARA rules for identifying ERMAC Android applications and SQL queries for discovering related infrastructure components across the internet.
These tools enable proactive threat hunting and help security teams identify potential ERMAC infections before they can cause significant damage.
Hunt.io’s findings demonstrate the value of comprehensive threat intelligence platforms in modern cybersecurity defense.
By scanning the entire IPv4 address space and monitoring for exposed directories, the company’s platform can identify emerging threats and provide early warning systems for the security community.
This discovery highlights both the sophistication of modern cybercriminal operations and the potential for security researchers to gain critical insights into their activities.
The ERMAC V3.0 analysis provides a blueprint for understanding malware-as-a-service platforms and developing more effective defensive strategies against banking trojans targeting mobile devices.
As financial institutions and mobile application developers continue to strengthen their security measures, access to detailed threat intelligence like this ERMAC analysis becomes increasingly valuable for staying ahead of evolving cyber threats and protecting users’ sensitive financial information.
| IP Address & Port | ASN | Behavior | Last Seen |
|---|---|---|---|
| 43[.]160[.]253[.]145:80 | AS132203 | ERMAC 3.0 Panel | 2025-08-08 |
| 91[.]92[.]46[.]12:80 | AS214196 | ERMAC 3.0 Panel | 2025-07-17 |
| 206[.]123[.]128[.]81:80 | AS207184 | ERMAC 1.0–2.0 Panel | N/A |
| 43[.]160[.]253[.]145:8080 | AS132203 | ERMAC Exfiltration Server | 2025-08-08 |
| 121[.]127[.]231[.]163:8082 | AS152194 | ERMAC Exfiltration Server | 2025-07-11 |
| 121[.]127[.]231[.]198:8082 | AS152194 | ERMAC Exfiltration Server | 2025-07-12 |
| 121[.]127[.]231[.]161:8082 | AS152194 | ERMAC Exfiltration Server | 2025-07-12 |
| 43[.]160[.]253[.]145:8089 | AS132203 | ERMAC C2 Server | 2025-08-08 |
| 172[.]191[.]69[.]182:8089 | AS8075 | ERMAC C2 Server | 2025-07-13 |
| 98[.]71[.]173[.]119:8089 | AS8075 | ERMAC C2 Server | 2025-07-25 |
| 20[.]162[.]226[.]228:8089 | AS8075 | ERMAC C2 Server | 2025-07-25 |
| 141[.]164[.]62[.]236:80 | AS20473 | Open directory with ERMAC source code | 2024-03-06 |
| 5[.]188[.]33[.]192:443 | AS202422 | Mentioned in source code, possibly outdated panel/C2 | N/A |
| Filename | SHA-256 Hash | Behavior |
|---|---|---|
| Ermac 3.0.zip | 175d4adc5fc0b0d8eb4b7d93b6f9694e4a3089e4ed4c59a2828d0667a9992aaa | ERMAC Source Code |
| server_go | 8c81cebbaff9c9cdad69257f50af0f5208a0d5923659b4e0c3319333f9e8d545 | ERMAC compiled exfiltration server |
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post ERMAC v3.0 Banking Malware Source Code Exposed via Weak Password ‘changemeplease’ appeared first on Cyber Security News.
FORT WAYNE, IND. (WOWO) Allen County leaders are continuing efforts to consolidate multiple fire service…
FORT WAYNE, IND. (WOWO) Allen County leaders are continuing efforts to consolidate multiple fire service…
The U.S. Capitol on the evening of Sept. 30, 2025. (Photo by Ashley Murray/States Newsroom)The…
The final version of a bill classifying nearly all of the Duck River, Buffalo River…
One of the main actors in the Michael Jackson biopic has defended the film from…
Ubisoft's pricing for Assassin's Creed Black Flag Resynced has leaked ahead of the game's official…
This website uses cookies.