A new variant of the Trojan Xenomorph has been detected, according to a report from Dutch Cybersecurity firm ThreatFabric. According to them, there has been an upwards trend towards mobile malware, singling out the Hadoken Security Group and their preferred method of using droppers (android applications whose sole purpose is to bypass typical security measures that can be found on official marketplaces such as Google Play Store) as their distribution technique. This way, attackers can easily deploy malware on victim's devices (usually banking trojans).
Xenomorph, Hadoken's signature malware family, has been a work in progress during the past year and has generally being out of sight and out of mind of the mainstream cyber landscape, as it was only deployed only in small campaigns. However, according to ThreatFabric this is about to change very soon, as a new variant has been detected, classified as Xenomorph.C.
The new version introduces a runtime engine powered by accessibility services, which is used by threat actors to completely automate transfers. This means that Xenomorph is capable of automating the entire fraud chain, from infection to extraction, making it an extremely potent and dangerous Android Trojan. An ATS (Automatic Transfer System) is used to define a set of features that attackers exploit to automate fraudulent transactions of infected devices. It is possible to extract credentials, account balance, initiate transactions, obtain MFA Tokens and even finalize transfers, without the need of human interactions. Even though Banks are abandoning the use of SMS to perform multi-factor authentication in favor of authenticator applications, these applications are often used on the same infected device that is used to complete the transactions. A modern banking malware is capable of initiating a fraudulent transaction and abuse the fact that the authenticator app is installed on the same device and still get inside. Xenomorph's ATS engine is perfectly capable of handling this case, as they have a code collection module which is triggered when the malware launches the authenticator app.
The engine is equipped with a large set of customizable options and allows attackers to create complex conditions which take care of many scenarios, increasing effectiveness of entry. Xenomorph's latest version also added a cookie stealer functionality, which allows a malicious actor to possess the victim's session cookie and thus, have access to the victim's web session. Put simply, malicious actors have a free entry inside a victim's account.
ThreatFabric also discovered target lists with more than 400 banks and financial institutions across all continents, with an increase of over 6 times in comparison with the previous variants. This escalation of scope and the vast array of improvements which in effect turn Xenomorph into one of the most powerful Android malware in circulation.
Other Posts you might be interested in:
Explore essential cybersecurity practices for small and medium-sized businesses, covering employee training, password policies, multi-factor authentication, and more. Elevate your business's security with DeepBlue Computers, offering customized solutions and expertise to fortify against evolving cyber threats.
Read More
Amidst the proliferation of AI tools, Google has announced new features that allow users to protect themselves from threats, identify AI-generated images and further protect sensitive data.
Read More
IBM X-Force research led by Stephanie "Snow" Carruthers finds human-crafted phishing emails perform 3% better than AI-generated ones. The study, conducted in the healthcare sector, emphasizes the need for businesses to focus on human-centric email security
Read More