Full Report
Authored by Joshua Kamp (main author) and Alberto Segura. Summary Hook and ERMAC are Android based malware families that are both advertised by the actor named “DukeEugene”. Hook is the latest variant to be released by this actor and was first announced at the start of 2023. In this announcement, the actor claims that Hook … Continue reading From ERMAC to Hook: Investigating the technical differences between two Android malware variants →
Analysis Summary
# Tool/Technique: Hook and ERMAC (Android Malware Families)
## Overview
Hook and ERMAC are sophisticated Android-based malware families heavily associated with the actor "DukeEugene." EMAC served as the foundation for Hook, with Hook being the actor's latest variant, announced at the start of 2023. Both primarily aim for financial gain by stealing personal information and cryptocurrency assets, though they also possess surveillance capabilities. Hook significantly expands upon the features present in ERMAC.
## Technical Details
- Type: Malware family
- Platform: Android
- Capabilities: SMS malware functionality, overlay/phishing attacks, information/account extraction, cryptocurrency wallet seed phrase theft, keylogging, remote screen control (VNC-like functionality), and camera access.
- First Seen: Hook was announced around January 12, 2023. ERMAC predates Hook.
## MITRE ATT&CK Mapping
Since the specific implementation details for all commands are not fully mapped, the following represent the likely core activities:
- **TA0001 - Initial Access**
- T1438 - Supply Chain Compromise (If installed via compromised app stores/sites)
- **TA0010 - Exfiltration**
- T1431 - Data from Local System
- **TA0006 - Credential Access**
- T1443 - Input Capture
- T1443.002 - Keylogging
- **TA0005 - Defense Evasion**
- T1447 - Overlay Settings
- **TA0011 - Command and Control**
- T1571 - Non-Standard Port (Implied by botnet structure)
## Functionality
### Core Capabilities
Both variants share 30 core commands, implemented nearly identically:
* Sending SMS messages.
* Executing overlay attacks (displaying phishing windows on top of legitimate applications).
* Extracting installed application lists, SMS messages, and accounts.
* Automated stealing of recovery seed phrases for cryptocurrency wallets (e.g., for wallets like Safepal and Exodus).
### Advanced Features (Introduced or enhanced in Hook)
Hook added 38 significant new commands compared to ERMAC:
* **Remote Control via UI Interaction:** Ability to stream the victim’s screen and interact with the interface to gain complete control over the infected device (likely utilizing a Remote Access Trojan - RAT - capability, referenced by the `start_vnc` command).
* **Camera Access:** Command (`takephoto`) to capture images using the victim's front-facing camera.
* **Session Theft:** Stealing cookies related to Google login sessions (`cookie` command).
* **Expanded Wallet Targeting:** Added support for stealing recovery seeds from additional cryptocurrency wallets (e.g., `safepal`, `exodus`).
* **Phishing/Overlay Control Enhancements:** Commands to dynamically add, remove, and customize views displayed over legitimate apps (`addview`, `removeview`, `addwaitview`, `removewaitview`).
## Indicators of Compromise
*Note: No specific hashes, IPs, or domains were provided in the summary text. Only command names are listed as behavioral indicators.*
- File Hashes: [Not provided in excerpt]
- File Names: [Not provided in excerpt]
- Registry Keys: [Not provided in excerpt]
- Network Indicators: [Not provided in excerpt; communication likely occurs via C2 infrastructure]
- Behavioral Indicators: Execution of commands such as `start_vnc`, `takephoto`, `cookie`, and commands interacting with specific cryptocurrency wallet applications. Phishing overlays being displayed on top of banking/other applications.
## Associated Threat Actors
* **DukeEugene:** The primary actor known for advertising and operating both ERMAC and Hook services.
## Detection Methods
- **Signature-based detection:** Potentially identifiable by unique file hashes or specific strings related to the announced commands.
- **Behavioral detection:** Monitoring for unauthorized remote UI interactions, constant attempts to start specific wallet apps, screen capture activity, or the injection of overlay windows on top of foreground applications.
- **YARA rules:** Not specified in the excerpt.
## Mitigation Strategies
- **Prevention measures:** Strict application sourcing (only using official app stores). Restricting permissions requested by installed applications.
- **Hardening recommendations:** Organizations and users should be wary of installing software from unverified sources, especially when advertised on forums offering exploitation tools. Monitor for unusual network activity or excessive resource utilization associated with remote access tools.
## Related Tools/Techniques
* **ERMAC:** The direct predecessor and codebase foundation for Hook.
* **RAT Capabilities:** Hook is noted as including RAT capabilities due to the screen streaming and VNC-like functionalities.