While investigating a new malware campaign targeting Android and Windows systems, researchers at Threat Fabric discovered a darknet service, dubbed Zombinder, used to embed malicious payloads in legitimate Android apps.
The campaign involved the Ermac Android banking Trojan along with desktop malware such as Erbium, Aurora stealer, and the Laplas “clipper”.
This campaign infected thousands of systems, experts reported that the Erbium stealer successfully exfiltrates data from more than 1300 victims.
While investigating Ermac’s activity, the experts spotted an interesting campaign masquerading as application for Wi-Fi authorization. The tainted apps were distributed through a bogus website containing a single page with only two buttons. Clicking on the “Download for Android” button leads to downloading the Ermac malware.
The Ermac variant employed in the attack has the following capabilities:
- Overlay attack to steal PII
- Keylogging
- Stealing e-mails from Gmail application
- Stealing 2FA codes
- Stealing seed phrases from several cryptocurrency wallets
Experts also observed threat actors masquerading as malicious apps as browser updates.
The new findings illustrate the threat actor’s continued abuse of Internet Explorer flaws such as CVE-2020-1380 and CVE-2021-26411 to drop backdoors like BLUELIGHT and Dolphin, the latter of which was disclosed by Slovak cybersecurity firm ESET late last month.
Another key tool in its arsenal is RokRat, a Windows-based remote access trojan that comes with a wide range of functions that allow it to capture screenshots, log keystrokes, and even harvest Bluetooth device information.
