Attackers are launching malicious campaigns to distribute multiple malware families on Windows and Android platforms. They are using a darknet platform dubbed Zombinder to bind malicious payloads to legitimate Android apps.
Zombinder: binder and dropper
ThreatFabric researchers found that Zombinder is being used as a binding service and dropper in recent campaigns. Initially, Zombinder was launched as a malware packer on APK files in March.
- Zombinder uses modified versions of Instagram, WiFi Auto Authenticator, Football Live Streaming, VidMate, and popular banking apps and embed those with malicious code.
- Threat actors claim claims that these malicious app bundles are undetectable in runtime.
- These apps can supposedly bypass Google Protect alerts or antivirus solutions running on the target devices.
Different payloads for different platforms
The attackers are using the same landing pages to distribute a wide variety of Windows and Android malware. It indicates that a single third party is serving multiple threat actors as a malware distribution service.
- Several malicious websites were spotted having two buttons - Download for Android or Download for Windows. On clicking, these buttons download the modified version of a legitimate app APK with obfuscated payload code.
- After installation, the app functions normally and shows a message stating that the app needs to be updated.
- At this point, if the victim accepts, the seemingly legitimate app will install the update or a plugin, which is highly-capable malware.
The payloads
- If the visitor clicks on Download for Android, Android malware such as Sova trojan, Xenomorph trojan, and Ermac (a new variant Ermac.C) are downloaded.
- On clicking Download for Android, Windows malware such as Erbium stealer, Laplas clipper, and Aurora info-stealer are downloaded.
- The campaign resulted in thousands of victims, with Erbium stealer successfully exfiltrating data from more than 1,300 victims.
Conclusion
Zombinder is growing popular in the cybercrime community. With its approach of targeting multiple platforms without raising much suspicion, threat actors are likely to experiment with other malware strains and different platforms with its help.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/540e_shutterstock_2177734931.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/cd81_shutterstock_774671812.jpeg)
