While investigating a new malware campaign targeting Windows and Android devices, Threat Fabric researchers discovered a dark web service called Zombinder used to “modify” legitimate Android apps with a malicious payload. Smartphone applications were infected with Ermac banking trojans, and three malwares were intended for Windows systems - the Erbium and Aurora infostealers, as well as the Laplas clipper.
According to experts, thousands of systems were affected during this campaign, and Erbium specifically stole data from more than 1,300 victims.
The experts came to the service by investigating the Ermac Trojan, which infected victims through decoy applications. Once installed and launched, these applications prompt the user to download an update or plugin, which is actually a Trojan.
Ermac can do the following:
- Read keystrokes;
- Use overlays;
- Steal emails from Gmail;
- Steal 2FA codes;
- Steal seed phrases from crypto wallets.
The researchers say Zombinder is part of an even larger project used by many hacker groups to make their attacks more difficult.