ThreatFabric’s researchers found ‘Zombinder’, a third-party darknet service that was used to bind malware payloads to legitimate Android applications.
In order to deceive users into installing a malicious payload, it is used to bind a malicious payload to a legitimate application.
“While analyzing the activity of the Android banking Trojan Ermac, ThreatFabric’s analysts discovered a campaign employing several Trojans, and targeting both Android and Windows users at the same time, in order to reach as many victims as possible”, according to ThreatFabric’s researchers.
Analysts identified an interesting campaign disguising itself as Wi-Fi authorization applications when looking into Ermac’s behavior. It was advertised on a fake, one-page website with just two buttons.
The website then offers a user the option of downloading either the Windows or Adware version of the application, which is actually malware.
It was capable of performing keylogging, overlay attacks, stealing emails from Gmail, intercepting 2FA codes, and stealing crypto wallet seed phrases.
“The actor used a third-party service provided on the darknet to “glue”, or bind, dropper capabilities to a legitimate application. After downloading the bound application, it will act as usual unless it shows a message stating that the app needs to be updated”, says the researchers.
If the victim accepts the update, Ermac will be installed even though the application appears to be legitimate.
New ‘Zombinder’ Platform
According to ThreatFabric, Zombinder, which first appeared in March 2022 as a malware packer for APK files, is currently becoming more and more well-known among hackers.
The analysts claim to have seen a fake live football streaming app and a modified Instagram app among the other APKs utilized in this campaign. Because the functionality of the legitimate software is maintained, these apps perform as intended. Zombinder, on the other hand, adds a malware loader to its code.
According to the Zombinder service provider, malicious app bundles built with it are able to evade Google Protect alarms and AVs installed on the target devices and are virtually undetectable.
ThreatFabric includes the Erbium stealer, the Laplas clipper, and the Aurora info-stealer in the campaign. Erbium stealer, a well-known Windows Trojan amongst cyber-criminals, is able to steal (among other data) saved passwords, credit card details, cookies from various browsers, and “cold” (offline) cryptocurrency wallet data both from desktop applications and browser extensions.
Laplas is a relatively new product on the darknet market that gives its users the opportunity to substitute a cryptocurrency wallet address that the victim copied with one that the user controls.
Aurora is a Golang stealer that has recently started gaining traction on underground forums. The prominent thing about this particular build is its size: more than 300 MB. It is a tactic to defeat detection by antivirus engines, as most of the data is just an “overlay” filled with zero bytes.
“Targeting multiple platforms, actors are able to reach a wider “audience” and steal more PII to utilize in further fraud”, reports ThreatFabric
According to ThreatFabric, the wide range of trojans delivered by the same landing pages may suggest that a single third-party malware distribution service supports a number of threat actors.
Penetration Testing As a Service – Download Red Team & Blue Team Workspace