A new variant of the Trojan Xenomorph has been detected, according to a report from Dutch Cybersecurity firm ThreatFabric. According to them, there has been an upwards trend towards mobile malware, singling out the Hadoken Security Group and their preferred method of using droppers (android applications whose sole purpose is to bypass typical security measures that can be found on official marketplaces such as Google Play Store) as their distribution technique. This way, attackers can easily deploy malware on victim's devices (usually banking trojans).
Xenomorph, Hadoken's signature malware family, has been a work in progress during the past year and has generally being out of sight and out of mind of the mainstream cyber landscape, as it was only deployed only in small campaigns. However, according to ThreatFabric this is about to change very soon, as a new variant has been detected, classified as Xenomorph.C.
The new version introduces a runtime engine powered by accessibility services, which is used by threat actors to completely automate transfers. This means that Xenomorph is capable of automating the entire fraud chain, from infection to extraction, making it an extremely potent and dangerous Android Trojan. An ATS (Automatic Transfer System) is used to define a set of features that attackers exploit to automate fraudulent transactions of infected devices. It is possible to extract credentials, account balance, initiate transactions, obtain MFA Tokens and even finalize transfers, without the need of human interactions. Even though Banks are abandoning the use of SMS to perform multi-factor authentication in favor of authenticator applications, these applications are often used on the same infected device that is used to complete the transactions. A modern banking malware is capable of initiating a fraudulent transaction and abuse the fact that the authenticator app is installed on the same device and still get inside. Xenomorph's ATS engine is perfectly capable of handling this case, as they have a code collection module which is triggered when the malware launches the authenticator app.
The engine is equipped with a large set of customizable options and allows attackers to create complex conditions which take care of many scenarios, increasing effectiveness of entry. Xenomorph's latest version also added a cookie stealer functionality, which allows a malicious actor to possess the victim's session cookie and thus, have access to the victim's web session. Put simply, malicious actors have a free entry inside a victim's account.
ThreatFabric also discovered target lists with more than 400 banks and financial institutions across all continents, with an increase of over 6 times in comparison with the previous variants. This escalation of scope and the vast array of improvements which in effect turn Xenomorph into one of the most powerful Android malware in circulation.
Other Posts you might be interested in:
How will the new National Cybersecurity Strategy authorized by the White House officials impact the future of your cybersecurity?
Read More
A new report suggests that too many firms have IT assets that are outside the sight and control of the security team, or of the software responsible for protecting them. These assets represent an ideal ingress point for attackers as they can exploit your IT Environment without knowledge of the deed, making it a major security risk.
Read More
There is a new threat that job seekers and employers should be aware of - phishing and malware campaigns that target individuals during the current economic downturn. By exploiting job-themed emails, attackers are attempting to steal sensitive information or hack into devices.
Read More