Malware Activity

"Zombinder" APK Binding Service Identified in Hybrid Malware Campaign Targeting Windows and Android

A new hybrid malware campaign has been identified targeting Android and Windows operating systems with various types of malware, including "ERMAC" (Android banking trojan), "Erbium" (desktop infostealer), "Aurora" (desktop infostealer), and "Laplas" (desktop clipper). This campaign involves "Zombinder", a third-party service found on the dark web that uses APK binding to "bind a malicious payload to a legitimate application, in order to trick victims to install it." The campaign has thousands of victims currently, with the Erbium stealer alone exfiltrating data from over 1,300 victims. Researchers noted that a portion of the malware deployments involve fraudulent websites containing malicious Wi-Fi authorization software for Windows and Android. These websites are used to "assist" users in accessing the internet and prompts the downloading of a Windows or Android version of the application. The software has the capabilities to steal seed phrases from crypto wallets and additional sensitive information. Android applications were also identified to be bound to malicious payloads, including a modified Instagram app and a live football streaming app, but the functionality of the legitimate software is not removed. When a user launches the modified application, a prompt is displayed to install a plugin on the device that allows the malware to run in the background. At this time, the campaign is primarily targeting users in Spain, Portugal, and Canada, among other countries. CTIX analysts will continue to monitor activity surrounding Zombinder and indicators of compromise (IOCs) can be viewed in ThreatFabric's report linked below.

• Bleeping Computer: Zombinder Article

• The Hacker News: Zombinder Article

• ThreatFabric: Zombinder Report

Threat Actor Activity

MuddyWater Shifts Tactics in Recent Social Engineering Campaign

The MuddyWater cyberespionage organization recently resurfaced after launching a new social engineering campaign targeting users throughout the region. MuddyWater, alternatively tracked as Static Kitten, is an Iranian-linked threat group believed to be operating on behalf of the Iran Ministry of Intelligence and Security (MOIS). Since their first observation in 2017, MuddyWater actors have often targeted critical infrastructure including telecommunications, natural gas, defense, and government organizations throughout North America, Europe, Middle East, and more. In their current campaign, MuddyWater threat actors are distributing phishing emails using a variety of social engineering lures to persuade the user to open attached documents or visit embedded links. Several observed links show traces to DropBox/OneDrive repositories and encoded HTML webpages hosting malicious content. While delivery methods of the malware vary, the deployed malware is fairly consistent throughout this campaign. The malware MuddyWater has embedded installs a new remote administration tool called Syncro. Once installed on the system, MuddyWater threat actors have remote access to the infected device and have the capabilities to conduct initial reconnaissance protocols, which could lead to further exploitation by the threat actors. CTIX continues to urge users to ensure the integrity of all email communications prior to visiting any embedded links or downloading any attachments to lessen the risk of threat actor compromise.

• Deep Instinct: MuddyWater Article

Vulnerabilities

Google Releases Emergency Patch for the 9th Chrome Zero-day Vulnerability this Year

Google released an emergency update to patch a critical zero-day vulnerability in their Chrome browser that has been exploited in-the-wild. The flaw was reported to Google by their own Threat Analysis Group (TAG). Shortly after observing exploitation attempts, the flaw was added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, tracked as CVE-2022-4262, is a type confusion bug in the Google Chrome V8 JavaScript engine. Type confusion occurs when programs allocate or initialize a resource such as a pointer, object, or variable using one type but later accesses that resource using a different type that is incompatible with the original. This triggers logical errors due to the resource not having properties which are expected from it and languages without memory safety could experience out-of-bounds memory access.  This could lead to system crashes and even arbitrary code execution through exploitation. This flaw could be leveraged by threat actors to pilfer sensitive information, make changes to configurations, and create new privileged accounts from which they could mount follow-on attacks. At this time, there is currently very limited information about the technical details of the exploit or the threat actors exploiting it. This is to allow as many Chrome users as possible to patch the vulnerability before a working proof-of-concept (PoC) is published. The presence of this vulnerability on the KEV dictates that to be compliant, all Federal Civilian Executive Branch (FCEB) agencies must ensure this flaw is patched by no later than December 26, 2022. Due to Google's patching schema, Chrome browsers should automatically update when the browser is restarted. CTIX analysts recommend that all Chrome users check their browser settings to ensure they are not vulnerable to exploitation.

• The Record: CVE-2022-4262 Article

• Google: CVE-2022-4262 Advisory

• CISA: KEV Catalog