Threat Research

Zombinder: new obfuscation service used by Ermac, now distributed next to desktop stealers

Securonix

ThreatFabric researchers describe a multi-platform campaign that binds malicious payloads to legitimate apps via a darknet service called Zombinder, delivering Android banking trojan Ermac alongside Windows desktop malware (Erbium, Aurora, Laplas, and Xenomorph) to thousands of victims. The operation uses obfuscation, spoofed app packages, and drive-by delivery through a fake Wi‑Fi authorization site, enabling cross-platform fraud and data theft across Android and Windows ecosystems. #Zombinder #Ermac #Erbium #Laplas #Xenomorph #Aurora #ThreatFabric #HadokenSecurity #DukeEugene #VidMate

Keypoints

  • Campaign binds malicious payloads to legitimate Android apps via Zombinder, enabling stealthy installation.
  • In addition to Ermac (Android), desktop trojans Erbium, Aurora, and Laplas are deployed in the same campaign.
  • Erbium stealer campaign affected over 1,300 victims, highlighting sizable impact on Windows victims.
  • Zombinder leverages a darknet service to glue droppers to legitimate apps, sometimes masquerading as updates.
  • Xenomorph banking trojan is distributed via bound apps and extended with keylogging, SOCKS proxy, and other capabilities.
  • Threat actor activity shows cross-platform targeting and possible outsourcing/parallel distribution by multiple actors (potentially linked to DukeEugene).
  • Threat landscape is evolving toward combined mobile/desktop campaigns with increased fraud capabilities and obfuscation to bypass defenses.

MITRE Techniques

  • [T1189] Drive-by Compromise – The malicious site provides a “Download for Android” button that leads to Ermac samples. – “The ‘Download for Android’ button leads to downloading samples of Ermac.”
  • [T1036] Masquerading – Apps disguised as modified versions of legitimate apps with identical package names. – “Such apps disguised as modified version of Instagram, WiFi Auto Authenticator, Football Live Streaming, etc. The package names were also the same as for legitimate applications.”
  • [T1027] Obfuscated/Compressed Files and Information – Obfuscation of the malicious code used to hide payloads. – “shortly after our monitoring systems spotted several updates of the payload: … obfuscation of the malicious code.”
  • [T1056.001] Keylogging – Xenomorph/Aurora campaigns include keylogging capabilities. – “Latest versions of it are enhanced with keylogging functionality, accessibility actions engine as well as SOCKS proxy feature.”
  • [T1115] Clipboard Data – Laplas clipper substitutes copied wallet addresses to divert funds. – “Laplas … ability to substitute cryptocurrency wallet address copied by the victim with one controlled by actor.”
  • [T1090] Proxy – Xenomorph includes a SOCKS proxy feature to route traffic. – “latest versions … enhanced with … SOCKS proxy feature.”
  • [T1555.003] Credentials from Web Browsers – Stealing data from Gmail application; credential access vector. – “Stealing e-mails from Gmail application” (formatted as a credential-access behavior).

Indicators of Compromise

  • [SHA-256] 97cbc137f8c045cd6a6b7d828b5b97b50279c2901cc67eec121d2c6df2f576be, 9ed8f39b22b997cb0d2ee8e55336972e1a9feeb222da3c4c23ed6566f29d5a92, and 5 more hashes
  • [SHA-256] 9ed8f39b22b997cb0d2ee8e55336972e1a9feeb222da3c4c23ed6566f29d5a92, 97cbc137f8c045cd6a6b7d828b5b97b50279c2901cc67eec121d2c6df2f576be, and 5 more hashes
  • [Android Package] com.woosh.wifiautoauth, com.aufait.footballlivestream, and 1 more package
  • [App name] WiFi Auto Authenticator, Live Football Stream 1.9, and 1 more app
  • [URL] https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html (ThreatFabric blog page)

Read more: https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html