ClickCease Zombinder malware imitates original apps to steal data

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Zombinder malware imitates original apps to steal data

Obanla Opeyemi

December 20, 2022 - TuxCare expert team

ThreatFabric researchers have discovered the Zombinder service, which allows cybercriminals to easily embed malware into legitimate apps and steal data while also wreaking havoc on the device.

In a bid to push its malware, the campaign impersonates Wi-Fi authorization portals, ostensibly assisting users in accessing internet points. The site then prompts the user to download a Windows or Adware version of the application, which is actually malware.

The attacks involve the use of malware such as ERMAC, Erbium, Aurora, and Laplas to steal personal identifiable information, grab emails from the Gmail app, spy on two-factor authentication codes, and steal seed phrases from various crypto wallets, according to the ThreatFabric report. The researchers also stated that it was distributed via a bogus one-page website with only two buttons.

The buttons provided downloads for Windows or Android. By clicking the latter, Ermac was downloaded, which is capable of stealing Gmail messages, two-factor authentication codes, and seed phrases from cryptocurrency wallets. It also functions as a keylogger. Meanwhile, downloading the ostensibly Windows app causes the Aurora and Erbium stealer malware, as well as the Laplas clipper, to be distributed.

The attack begins with a Wi-Fi authorization app that is actually Ermac with malicious code obfuscation masquerading as a browser update. Although some of the apps were not directly Ermac, they were legitimate apps that installed Ermac as a payload targeting multiple banking applications while running normally.

Apps like this are disguised as modified versions of Instagram, WiFi Auto Authenticator, Football Live Streaming, and so on. The package names were also identical to those used by legitimate applications. The app will function normally after you download it. Then a message will appear saying it needs to be updated. Once the victim accepts the update, the app will install the Ermac malware.

Another campaign employs Zombinder to distribute the Xenomorph banking trojan, which is clipped to an application from a media downloading company, with the victim being lured in via malicious advertisements. Even though the legitimate app is running normally for the unsuspecting victim, Zombinder drops and launches Xenomorph.

The sources for this piece include an article in TheHackerNews.

Summary
Zombinder malware imitates original apps to steal data
Article Name
Zombinder malware imitates original apps to steal data
Description
ThreatFabric researchers have discovered the Zombinder service, which allows cybercriminals to easily embed malware into legitimate apps.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

How GPT models can be...

According to CyberArk researchers, GPT-based models like ChatGPT can be...

January 30, 2023

Attackers actively exploit Unpatched Control...

Malicious hackers have started exploiting a critical vulnerability CVE-2022-44877 in...

January 27, 2023

Attackers distribute malware via malicious...

Deep Instinct researchers reported that RATs like StrRAT and Ratty...

January 26, 2023

CircleCI partners AWS to identify...

According to CircleCI’s CTO, Rob Zuber, CircleCI is working with...

January 25, 2023

Cisco warns of authentication bypass...

A remote attacker could exploit multiple vulnerabilities in four Cisco...

January 24, 2023

IceID malware infiltrates Active Directory...

In a notable IcedID malware attack, the assailant impacted the...

January 23, 2023