Xenomorph is Back: New Campaigns Targeting Spain & USA - SharITSec

A New Xenomorph Campaign

Anyone familiar with the famous movie "Alien", directed by Ridley Scott in 1979, is well aware of how hard it is to get rid of the titular monsters of this franchise. Despite all the efforts from the protagonists, the monsters seem to always return.

When we discovered and named Xenomorph, in February 2022, we would never have been able to predict how similar this malware family could be to its cinematic counterpart.

Back in August 2023 ThreatFabric’s cyber fraud analysts once again came across some new samples of Xenomorph.

From what was observed in previous cases, we were able to clearly identify a distribution campaign, using phishing webpages to trick victims into installing malicious APKs, which feature a larger list of targets compared to its previous versions.

This new list adds dozens of new overlays for institutions from the United States, Portugal, and multiple crypto wallets, following a trend that has been consistent amongst all banking malware families in the last year.

ThreatFabric was also able to analyse an ongoing campaign, with thousands of downloads of Xenomorph in Spain and the United States.

This is not unusual as many other malware families have started expanding their area of interest across the Atlantic Ocean, including the most distributed MaaS (Malware-as-a-Service) families, such as Octo, Hydra, and Hook, and some of the most notorious privately operated families, such as Anatsa.

As a consequence to the Device Take-Over capabilities offered by these families, it is now easier than ever for criminals to move across different markets and perform fraud with little or no infrastructure required.

In this article, we will cover our latest research on Xenomorph, starting from a technical point of view, as well as address the distribution framework used by the Threat Actors behind this campaign, and its connections to other malware families, as well as Windows Desktop malware distributed side-by-side with it.

Xenomorph is Back Once Again

Xenomorph is a very advanced malware family, which runs the gamut from simple SMS manipulation to full device control, due to a very powerful Automated Transfer System (ATS) framework obtained via Remote Access capabilities offered by accessibility services privileges. This malware family has been in constant evolution since its discovery in early 2022, adding continuous features over the months.

Xenomorph uses overlays as its main way to obtain Personally Identifiable Information (PII) such as usernames, passwords, credit card numbers, and much more. The control server transmits to the bot a list of URLs containing the address from which the malware can retrieve the overlays for the infected device.

Such overlays are encrypted using a combination of an algorithm specific to Xenomorph and AES. Once decrypted, the overlay poses as login pages for the targeted applications:

Its main feature is the very flexible ATS Engine, which offers a vast quantity of actions that can be used and chained into sequences of operations, triggered when specific conditions are met. Threat Actors refer to these sets of actions as "modules" of their engine. The malware contains in its configuration a large set of modules, which mostly offer possibilities to manipulate the infected device's settings, for example by granting write permission to the malware or disabling Doze mode (a mode that conserves battery by restricting apps' access to network and CPU-intensive services).

The list of modules available in the malware's hardcoded and encrypted configuration is very similar to the previous variant of Xenomorph that we reported earlier this year. In this version, a new module was added, which is highlighted in bold in the table below:

Module name	description
notificationAccess	Grant notification access
grantPermissions	Automatically grants itself all permissions required
dozeModeDisableTypeA	Disable Doze mode (Xiaomi MIUI) - version 1
dozeModeDisableTypeB	Disable Doze mode (Xiaomi MIUI) - version 2
dozeModeDisableTypeC	Disable Doze mode (Xiaomi MIUI) - version 3
dozeModeDisableTypeD	Disable Doze mode (Xiaomi MIUI) - version 4
disablePlayProtect	Disable Play Protect
xiaomiAdminAccess	Get Admin Access Xiaomi
restrictUninstall_SamsungApi29	Stop uninstall procedure in Samsung using API 29 (Android 10 )
dismissSettingsAlerts_Generic	Dismiss Settings Alerts
restrictReset_Generic	Stop device reset
restrictReset_ByContentVid_SamsungApi30	Stop device reset in Samsung using API 30 (Android 11 )
restrictUninstall_ByClassName	Stop uninstall procedure based on Class name </div> </div> </td> <td>&nbsp;</td> </tr> <tr> <td> <div> <div> restrictUninstall_Generic </div> </div> </td> <td> <div> <div> <div> <div> Stop uninstall procedure </div> </div> </div> </div> </td> <td>&nbsp;</td> </tr> <tr> <td> <div> <div> restrictAccessibilityDisable_Generic </div> </div> </td> <td> <div> <div> Stop disabling of Accessibility Services privileges </div> </div> </td> <td>&nbsp;</td> </tr> <tr> <td> <div> <div> restrictAdminRetrieve_XiaomiApi30 </div> </div> </td> <td> <div> <div> Restrict retrieving Admin in Xiaomi using API 30 (Android 11 ) </div> </div> </td> <td>&nbsp;</td> </tr> <tr> <td> <div> <div> restrictSettingsClicks_Generic </div> </div> </td> <td> <div> <div> Restrict clicks in settings </div> </div> </td> <td>&nbsp;</td> </tr> <tr> <td> <div> <div> <div> <div> defaultSmsApp-Alert </div> </div> </div> </div> </td> <td> <div> <div> Interface with Default SMS settings Alert </div> </div> </td> <td>&nbsp;</td> </tr> <tr> <td> <div> <div> defaultSmsApp-Role-ChangePrevention </div> </div> </td> <td> <div> <div> Prevent removal of Default SMS Role </div> </div> </td> <td>&nbsp;</td> </tr> <tr> <td> <div> <div> defaultSmsApp-Role </div> </div> </td> <td> <div> <div> Obtain Default SMS role </div> </div> </td> <td>&nbsp;</td> </tr> <tr> <td> <div> <div> defaultSmsApp-Settings </div> </div> </td> <td> <div> <div> Set as Default SMS Handler </div> </div> </td> <td>&nbsp;</td> </tr> <tr> <td> <div> <div> <strong>grantWriteStoragePermissions</strong> </div> </div> </td> <td> <div> <div> <strong>Grants write storage permissions </strong> </div> </div> </td> <td>&nbsp;</td> </tr> <tr> <td> <div> <div> grantSystemWritePermissions </div> </div> </td> <td> <div> <div> Grants system write permissions </div> </div> </td> <td>&nbsp;</td> </tr> <tr> <td> <div> <div> getGoogle2FA </div> </div> </td> <td> <div> <div> Gets Google Authenticator 2FA codes </div> </div> </td> <td>&nbsp;</td> </tr> </tbody> </table> </div> <p>&nbsp;</p> <div> <p>The list includes multiple&nbsp;modules dedicated to precise actions for specific Mobile User Interfaces based on AOSP (Android Open Source Project), for example MIUI in the case of Xiaomi or One UI in the case of Samsung. This is necessary because different UIs require a unique order of operations to perform specific actions, like disabling Doze mode. </p> <p>Actors have put a lot of effort into modules that support Samsung and Xiaomi devices. This makes sense, considering that these two combined make up roughly 50% of the whole Android market share, according to recent data presented in multiple recent studies. </p> <p>These modules are built in the same way we discussed in our <a href="https://www.threatfabric.com/blogs/xenomorph-v3-a-new-variant-with-ats-targeting-more-than-400-institutions" rel="noreferrer" target="_blank">previous blog</a>, but we will report here the structure for convenience. Each module is saved in JSON format, with multiple entries, structured in the following way:</p> </div> Article Link: Xenomorph is Back: New Campaigns Targeting Spain & USA

1 post - 1 participant

Read full topic

Malware Analysis, News and Indicators - Latest topics