"Zombinder" APK Binding Service Identified in Hybrid Malware Campaign Targeting Windows and Android
A new hybrid malware campaign has been identified targeting Android and Windows operating systems with various types of malware, including "ERMAC" (Android banking trojan), "Erbium" (desktop infostealer), "Aurora" (desktop infostealer), and "Laplas" (desktop clipper). This campaign involves "Zombinder", a third-party service found on the dark web that uses APK binding to "bind a malicious payload to a legitimate application, in order to trick victims to install it." The campaign has thousands of victims currently, with the Erbium stealer alone exfiltrating data from over 1,300 victims. Researchers noted that a portion of the malware deployments involve fraudulent websites containing malicious Wi-Fi authorization software for Windows and Android. These websites are used to "assist" users in accessing the internet and prompts the downloading of a Windows or Android version of the application. The software has the capabilities to steal seed phrases from crypto wallets and additional sensitive information. Android applications were also identified to be bound to malicious payloads, including a modified Instagram app and a live football streaming app, but the functionality of the legitimate software is not removed. When a user launches the modified application, a prompt is displayed to install a plugin on the device that allows the malware to run in the background. At this time, the campaign is primarily targeting users in Spain, Portugal, and Canada, among other countries. CTIX analysts will continue to monitor activity surrounding Zombinder and indicators of compromise (IOCs) can be viewed in ThreatFabric's report linked below.
- Bleeping Computer: Zombinder Article
- The Hacker News: Zombinder Article
- ThreatFabric: Zombinder Report
Threat Actor Activity
MuddyWater Shifts Tactics in Recent Social Engineering Campaign
The MuddyWater cyberespionage organization recently resurfaced after launching a new social engineering campaign targeting users throughout the region. MuddyWater, alternatively tracked as Static Kitten, is an Iranian-linked threat group believed to be operating on behalf of the Iran Ministry of Intelligence and Security (MOIS). Since their first observation in 2017, MuddyWater actors have often targeted critical infrastructure including telecommunications, natural gas, defense, and government organizations throughout North America, Europe, Middle East, and more. In their current campaign, MuddyWater threat actors are distributing phishing emails using a variety of social engineering lures to persuade the user to open attached documents or visit embedded links. Several observed links show traces to DropBox/OneDrive repositories and encoded HTML webpages hosting malicious content. While delivery methods of the malware vary, the deployed malware is fairly consistent throughout this campaign. The malware MuddyWater has embedded installs a new remote administration tool called Syncro. Once installed on the system, MuddyWater threat actors have remote access to the infected device and have the capabilities to conduct initial reconnaissance protocols, which could lead to further exploitation by the threat actors. CTIX continues to urge users to ensure the integrity of all email communications prior to visiting any embedded links or downloading any attachments to lessen the risk of threat actor compromise.
Google Releases Emergency Patch for the 9th Chrome Zero-day Vulnerability this Year
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (email@example.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.