A new variant of the Trojan Xenomorph has been detected, according to a report from Dutch Cybersecurity firm ThreatFabric. According to them, there has been an upwards trend towards mobile malware, singling out the Hadoken Security Group and their preferred method of using droppers (android applications whose sole purpose is to bypass typical security measures that can be found on official marketplaces such as Google Play Store) as their distribution technique. This way, attackers can easily deploy malware on victim's devices (usually banking trojans).
Xenomorph, Hadoken's signature malware family, has been a work in progress during the past year and has generally being out of sight and out of mind of the mainstream cyber landscape, as it was only deployed only in small campaigns. However, according to ThreatFabric this is about to change very soon, as a new variant has been detected, classified as Xenomorph.C.
The new version introduces a runtime engine powered by accessibility services, which is used by threat actors to completely automate transfers. This means that Xenomorph is capable of automating the entire fraud chain, from infection to extraction, making it an extremely potent and dangerous Android Trojan. An ATS (Automatic Transfer System) is used to define a set of features that attackers exploit to automate fraudulent transactions of infected devices. It is possible to extract credentials, account balance, initiate transactions, obtain MFA Tokens and even finalize transfers, without the need of human interactions. Even though Banks are abandoning the use of SMS to perform multi-factor authentication in favor of authenticator applications, these applications are often used on the same infected device that is used to complete the transactions. A modern banking malware is capable of initiating a fraudulent transaction and abuse the fact that the authenticator app is installed on the same device and still get inside. Xenomorph's ATS engine is perfectly capable of handling this case, as they have a code collection module which is triggered when the malware launches the authenticator app.
The engine is equipped with a large set of customizable options and allows attackers to create complex conditions which take care of many scenarios, increasing effectiveness of entry. Xenomorph's latest version also added a cookie stealer functionality, which allows a malicious actor to possess the victim's session cookie and thus, have access to the victim's web session. Put simply, malicious actors have a free entry inside a victim's account.
ThreatFabric also discovered target lists with more than 400 banks and financial institutions across all continents, with an increase of over 6 times in comparison with the previous variants. This escalation of scope and the vast array of improvements which in effect turn Xenomorph into one of the most powerful Android malware in circulation.
Other Posts you might be interested in:
New Studies from BitDefender and Arctic Wolf show that cybergroups are employing new tactics that exploit popular social channels such as Facebook and Youtube. The exploit uses DLLs, shared code libraries used by every operating system to hide malicious code by in the form of a legitimate DLL.
Read More
CrowdStrike, a cybersecurity company, has released a report revealing a significant increase in data theft activity. The report shows a huge increase in attacks on cloud architectures, with cases involving “cloud-conscious” actors tripling from 2021. With defenders’ scanning for malware, data extraction has become the preferred modus operandi of threat actors.
Read More
Data is a prized asset and protecting it from insider threats is paramount. From implementing robust access controls to fostering a culture of cybersecurity awareness, this article provides practical insights to safeguard your data against both inadvertent and malicious insider actions. By combining technological measures with education and stringent policies, organizations can create a comprehensive defense strategy to mitigate the risks posed by insider threats in today's dynamic digital landscape.
Read More