A new analysis of the Android banking trojan known as Hook has revealed that it’s based on its predecessor called ERMAC.
“The ERMAC source code was used as a base for Hook,” NCC Group security researchers Joshua Kamp and Alberto Segura said in a technical analysis published last week.
“All commands (30 in total) that the malware operator can send to a device infected with ERMAC malware, also exist in Hook. The code implementation for these commands is nearly identical.”
Hook was first documented by ThreatFabric in January 2023, describing it as a “ERMAC fork” that’s offered for sale for $7,000 per month. Both the strains are the work of a malware author called DukeEugene.
That said, Hook expands on ERMAC’s functionalities with more capabilities, supporting as many as 38 additional commands when compared to the latter.
ERMAC’s core features are designed to send SMS messages, display a phishing window on top of a legitimate app, extract a list of installed applications, gather SMS messages, and siphon recovery seed phrases for multiple cryptocurrency wallets.
Hook, on the other hand, goes a step further by streaming the victim’s screen and interacting with the user interface to gain complete control over an infected device, capturing photos of the victim using the front facing camera, harvesting cookies related to Google login sessions, and plundering recovery seeds from more crypto wallets.
It can further send an SMS message to multiple phone numbers, effectively propagating the malware to other users.
Regardless of these differences, both Hook and ERMAC can log keystrokes and abuse Android’s accessibility services to conduct overlay attacks in order to display content on top of other apps and steal credentials from over 700 apps. The list of apps to target is retrieved on the fly via a request to a remote server.
The malware families are also engineered to monitor for clipboard events and replace the content with an attacker-controlled wallet should the victim copy a legitimate wallet address.
A majority of Hook and ERMAC’s command-and-control (C2) servers are located in Russia, followed by the Netherlands, the U.K., the U.S., Germany, France, Korea, and Japan.
As of April 19, 2023, it appears that the Hook project has been shuttered, according to a post shared by DukeEugene, who claimed to be leaving for a “special military operation” and that support for the software would be provided by another actor named RedDragon until the customers’ subscription runs out.
Subsequently, on May 11, 2023, the source code for Hook is said to have been sold by RedDragon for $70,000 on an underground forum. The short lifespan of Hook aside, the development has raised the possibility that other threat actors could pick up the work and release new variants in the future.
The disclosure comes as a China-nexus threat actor has been linked to an Android spyware campaign targeting users in South Korea since the beginning of July 2023.
“The malware is distributed through deceptive phishing websites that pose as adult sites but actually deliver the malicious APK file,” Cyble said. “Once the malware has infected the victim’s machine, it can steal a wide range of sensitive information, including contacts, SMS messages, call logs, images, audio files, screen recordings, and screenshots.”
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive deep into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Discover why identity is the new endpoint. Secure your spot now.
Supercharge Your Skills
On top of that, the malware (APK package name “com.example.middlerankapp”) takes advantage of accessibility services to monitor the apps used by the victims and prevent uninstallation.
It also contains a feature that allows the malware to redirect incoming calls to a designated mobile number controlled by the attacker, intercept SMS messages, and incorporate an unfinished keylogging functionality, indicating it’s likely in active development.
The connections to China stem from references to Hong Kong in the WHOIS record information for the C2 server as well as the presence of several Chinese language strings, including “中国共产党万岁,” in the malware source code, which translates to “Long live the Communist Party of China.”
In a related development, Israeli newspaper Haaretz revealed that a domestic spyware company Insanet has developed a product called Sherlock that can infect devices via online advertisements to snoop on targets and collect sensitive data from Android, iOS, and Windows systems.
The system is said to have been sold to a country that’s not a democracy, it reported, adding a number of Israeli cyber companies have attempted to develop offensive technology that exploits ads for profiling victims (a term called AdInt or ad intelligence) and distributing spyware.