A new variant of the Trojan Xenomorph has been detected, according to a report from Dutch Cybersecurity firm ThreatFabric. According to them, there has been an upwards trend towards mobile malware, singling out the Hadoken Security Group and their preferred method of using droppers (android applications whose sole purpose is to bypass typical security measures that can be found on official marketplaces such as Google Play Store) as their distribution technique. This way, attackers can easily deploy malware on victim's devices (usually banking trojans).
Xenomorph, Hadoken's signature malware family, has been a work in progress during the past year and has generally being out of sight and out of mind of the mainstream cyber landscape, as it was only deployed only in small campaigns. However, according to ThreatFabric this is about to change very soon, as a new variant has been detected, classified as Xenomorph.C.
The new version introduces a runtime engine powered by accessibility services, which is used by threat actors to completely automate transfers. This means that Xenomorph is capable of automating the entire fraud chain, from infection to extraction, making it an extremely potent and dangerous Android Trojan. An ATS (Automatic Transfer System) is used to define a set of features that attackers exploit to automate fraudulent transactions of infected devices. It is possible to extract credentials, account balance, initiate transactions, obtain MFA Tokens and even finalize transfers, without the need of human interactions. Even though Banks are abandoning the use of SMS to perform multi-factor authentication in favor of authenticator applications, these applications are often used on the same infected device that is used to complete the transactions. A modern banking malware is capable of initiating a fraudulent transaction and abuse the fact that the authenticator app is installed on the same device and still get inside. Xenomorph's ATS engine is perfectly capable of handling this case, as they have a code collection module which is triggered when the malware launches the authenticator app.
The engine is equipped with a large set of customizable options and allows attackers to create complex conditions which take care of many scenarios, increasing effectiveness of entry. Xenomorph's latest version also added a cookie stealer functionality, which allows a malicious actor to possess the victim's session cookie and thus, have access to the victim's web session. Put simply, malicious actors have a free entry inside a victim's account.
ThreatFabric also discovered target lists with more than 400 banks and financial institutions across all continents, with an increase of over 6 times in comparison with the previous variants. This escalation of scope and the vast array of improvements which in effect turn Xenomorph into one of the most powerful Android malware in circulation.
Other Posts you might be interested in:
CrowdStrike, a cybersecurity company, has released a report revealing a significant increase in data theft activity. The report shows a huge increase in attacks on cloud architectures, with cases involving “cloud-conscious” actors tripling from 2021. With defenders’ scanning for malware, data extraction has become the preferred modus operandi of threat actors.
Read More
Amidst economic uncertainties and budget constraints, SMEs struggle with complex tech stacks, compliance obligations, and a severe skills shortage, prompting the consideration of Security Operations Centers (SOCs) and Managed Service Providers (MSPs) as crucial solutions to enhance their cybersecurity defenses."
Read More
Explore the prevalent cybersecurity threats businesses face, including phishing attacks, ransomware, and insider threats. Discover the importance of partnering with a cybersecurity firm for tailored defense strategies, and why DeepBlue Computers is a good choice for your cybersecurity needs.
Read More