Source Code of ERMAC V3.0 Malware Exposed by ‘changemeplease’ Password

A significant security breach has exposed the complete source code of ERMAC V3.0, a sophisticated banking trojan that targets over 700 financial applications worldwide.

The leak, discovered by cybersecurity firm Hunt.io in March 2024, was made possible by a surprisingly weak default password: “changemeplease.”

The discovery occurred when Hunt.io researchers identified an open directory containing the complete ERMAC V3.0 source code archive.

This rare exposure of an active Malware-as-a-Service platform provides unprecedented insight into one of the most advanced mobile banking trojans currently operating in the wild.

ERMAC has undergone significant evolution since its inception. Early versions were built using leaked Cerberus source code, while version 2.0 incorporated substantial portions of the Hook botnet’s codebase by late 2023.

The newly uncovered version 3.0 represents a major advancement, expanding the malware’s capabilities to target more than 700 banking, shopping, and cryptocurrency applications through sophisticated form injection techniques.

The leaked source code revealed a comprehensive malware ecosystem consisting of five main components: a PHP and Laravel-based backend, a React-based frontend panel, a Golang exfiltration server, Docker configuration files, and an Android builder panel for creating customized malware variants.

Critical Security Vulnerabilities

Analysis of the source code uncovered multiple critical security flaws that could be exploited to disrupt ERMAC operations.

These include a hardcoded JWT secret token, static admin bearer token, and most notably, default root credentials using the password “changemeplease.” Additionally, the system allows open account registration directly through its API, potentially granting unauthorized access to the admin panel.

Using advanced search capabilities, Hunt.io researchers identified multiple active ERMAC infrastructure components still operating online.

The investigation revealed four unique command-and-control servers and four exfiltration servers using the distinctive authentication header “LOGIN | ERMAC.”

The malware demonstrates sophisticated operational security measures, including AES-CBC encrypted communications and geographic restrictions that prevent execution in Commonwealth of Independent States countries.

Before installation, ERMAC verifies it’s not running in an emulator environment and requests extensive device permissions for SMS access, background operation, and process termination capabilities.

This source code leak provides cybersecurity professionals with valuable intelligence for developing countermeasures against ERMAC campaigns. The exposed infrastructure details and operational vulnerabilities offer concrete opportunities to disrupt ongoing malicious activities and protect potential victims.

The ERMAC V3.0 leak underscores the continued evolution of mobile banking trojans and highlights how weak security practices, even among cybercriminals, can expose sophisticated malicious operations to security researchers and law enforcement agencies.

AWS Security Services: 10-Point Executive Checklist - Download for Free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!