Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
December 20, 2022 - TuxCare expert team
ThreatFabric researchers have discovered the Zombinder service, which allows cybercriminals to easily embed malware into legitimate apps and steal data while also wreaking havoc on the device.
In a bid to push its malware, the campaign impersonates Wi-Fi authorization portals, ostensibly assisting users in accessing internet points. The site then prompts the user to download a Windows or Adware version of the application, which is actually malware.
The attacks involve the use of malware such as ERMAC, Erbium, Aurora, and Laplas to steal personal identifiable information, grab emails from the Gmail app, spy on two-factor authentication codes, and steal seed phrases from various crypto wallets, according to the ThreatFabric report. The researchers also stated that it was distributed via a bogus one-page website with only two buttons.
The buttons provided downloads for Windows or Android. By clicking the latter, Ermac was downloaded, which is capable of stealing Gmail messages, two-factor authentication codes, and seed phrases from cryptocurrency wallets. It also functions as a keylogger. Meanwhile, downloading the ostensibly Windows app causes the Aurora and Erbium stealer malware, as well as the Laplas clipper, to be distributed.
The attack begins with a Wi-Fi authorization app that is actually Ermac with malicious code obfuscation masquerading as a browser update. Although some of the apps were not directly Ermac, they were legitimate apps that installed Ermac as a payload targeting multiple banking applications while running normally.
Apps like this are disguised as modified versions of Instagram, WiFi Auto Authenticator, Football Live Streaming, and so on. The package names were also identical to those used by legitimate applications. The app will function normally after you download it. Then a message will appear saying it needs to be updated. Once the victim accepts the update, the app will install the Ermac malware.
Another campaign employs Zombinder to distribute the Xenomorph banking trojan, which is clipped to an application from a media downloading company, with the victim being lured in via malicious advertisements. Even though the legitimate app is running normally for the unsuspecting victim, Zombinder drops and launches Xenomorph.
The sources for this piece include an article in TheHackerNews.
Learn About Live Patching with TuxCare
According to CyberArk researchers, GPT-based models like ChatGPT can be...
Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...
Deep Instinct researchers reported that RATs like StrRAT and Ratty...
According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...
A remote attacker could exploit multiple vulnerabilities in four Cisco...
In a notable IcedID malware attack, the assailant impacted the...