"'Zombinder' Service Allows Cybercriminals to Easily Add Malware to Legitimate Apps"
A newly discovered dark web service allows cybercriminals to easily add malware to legitimate applications. ThreatFabric researchers detailed "Zombinder," which was discovered while investigating several cases of threat actors employing Ermac, a type of Android banking malware. As the researchers explored further, they discovered a campaign that used a variety of malware to target Android and Windows users, including Erbium, the Aurora stealer, and the Laplas clipper. The researchers traced the campaign back to a third-party darknet service provider dubbed Zombinder advertised as an Application Programming Interface (API) binding service. It appears to have been launched in March 2022 and is now believed to be used by various threat actors. Those behind the service advertise it as offering a universal binder that would enable malware to be bound with almost any legitimate application. In its most recent campaign, Zombinder distributed the Xenomorph banking malware disguised as a VidMate application. The modified application is advertised and downloaded from a malicious website that mimics the application's original website, with the victim tricked into visiting the site via malicious ads. Unlike other malicious campaigns in which applications fail to function, the Zombinder-infected application performs as expected. The victims are completely unaware that they have been infected with malware. Although the service's primary focus is on Android applications, those behind it also provide binding for Windows applications. This article continues to discuss the researchers' findings and observations regarding Zombinder.