Experts from Cyble and BleepingComputer report an ongoing malware campaign using a network of over 200 domains imitating 27 brands that coerces users into downloading malware for Windows and Android.
According to the Cyble report, the domains in this campaign are created using the "typosquatting" technique and impersonate popular Android app stores - Google Play, APKCombo and APKPure, as well as download portals for PayPal, VidMate, Snapchat and TikTok.
Some of the domains used for this purpose are:
- payce-google[.]com - impersonates Google Wallet;
- snanpckat-apk[.]com impersonates Snapchat;
- vidmates-app[.]com - impersonates VidMate;
- paltpal-apk[.]com - impersonates PayPal;
- m-apkpures[.]com - impersonates APKPure;
- tlktok-apk[.]link - simulates the download portal for the TikTok app.
On all domains, APK files are delivered by ERMAC malware, a banking Trojan that targets bank accounts and cryptocurrency wallets from 467 apps.
In addition, experts at BleepingComputer discovered a larger campaign from the same operators that distributes malware for Windows. This campaign consists of over 90 sites impersonating over 27 popular companies to distribute malware, steal cryptocurrency recovery keys, and distribute Android malware.
One of the malicious sites offers to download the popular text editor Notepad++. The files from this site install the Vidar Stealer infostealer, which has been increased in size to 700 MB to avoid analysis. Another site is impersonating the Tor project using the "tocproject.com" domain. In this case, the website delivers Agent Tesla spyware and the RAT Trojan.
Many sites target cryptocurrency wallets and user seed phrases, for example, the site "ethersmine[.]com" tries to steal the visitor's Ethereum seed wallet.
The attackers use multiple variants of each domain to exploit as many typos as possible, so these domains are only a small part of the entire network of domains used in the campaign.
Comments 0