Zombinder Malware Platform

Ill-minded threat actors have found a new way to spread malware and infect unsuspecting victims - through the use of a Dark Net platform named 'Zombinder.' This platform allows threat actors to bind a corrupted code to legitimate Android applications, enabling them to be distributed in an undetectable fashion.

The attack campaigns were discovered by cybersecurity researchers. According to their findings, the threatening operation has managed to impact thousands of victims. In fact, just the Erbium Stealer threat deployed as part of the attack has managed to infect 1,300 devices.

Infection Vectors and Delivered Malware

The cybercriminals have created a legitimately-looking website as a lure to trick users into downloading malware. The corrupted site supposedly provides users with an application for Wi-Fi authorization. Visitors are provided with two choices, depending on their preferred platform. They can click on either the 'Download for Windows' or the 'Download for Android' buttons. In both cases, the downloaded application will carry the corrupted code, but the deployed threats differ based on the user's system.

If the website visitors click on the 'Download for Windows' button, they may have their computers infected by the Erbium Stealer, the Laplas Clipper, or the Aurora Info-stealer. These pieces of malware are sophisticated tools used by cybercriminals to collect personal information, such as passwords, credit card numbers and bank details. The threat actors using these strains typically buy access to them from the original developers for a few hundred US dollars per month. Once inside a computer, these threats can cause significant damage.

On the other hand, the 'Download for Android' button leads to a sample of the Ermac Banking Trojan, classified by the infosec researchers as Ermac.C. This threatening variant has many harmful functions, including the ability to overlay applications for personal information theft, keylogging, collecting emails from Gmail applications, intercepting two-factor authentication codes, and gathering seed phrases from several cryptocurrency wallets.

The Zombinder Platform Weaponizes Legitimate Applications

The Android branch of the threatening campaign utilized a Dark Net service named 'Zombinder.' The platform is capable of attaching compromised APKs to otherwise legitimate Android applications. According to the experts, Zombinder was first launched back in March 2022 and, since then, has started to gain traction among cybercriminals. Among the applications distributed as part of the operation, were modified versions of a football live-streaming application, the Instagram application, etc.

Using Zombinder allows attackers to preserve the original functionality of the chosen applications, making them appear far less suspicious to the victims. Zombinder achieves this result by injecting an obfuscated malware loader/dropper into the applications. After installation, the program will function as expected, until a prompt claiming that the application needs to be updated is displayed. If the user accepts, the otherwise legitimate-looking application will fetch and download the Ermac threat to the device.