A New Xenomorph Campaign
Anyone familiar with the famous movie "Alien", directed by Ridley Scott in 1979, is well aware of how hard it is to get rid of the titular monsters of this franchise. Despite all the efforts from the protagonists, the monsters seem to always return.
When we discovered and named Xenomorph, in February 2022, we would never have been able to predict how similar this malware family could be to its cinematic counterpart.
Back in August 2023 ThreatFabric’s cyber fraud analysts once again came across some new samples of Xenomorph.
From what was observed in previous cases, we were able to clearly identify a distribution campaign, using phishing webpages to trick victims into installing malicious APKs, which feature a larger list of targets compared to its previous versions.
This new list adds dozens of new overlays for institutions from the United States, Portugal, and multiple crypto wallets, following a trend that has been consistent amongst all banking malware families in the last year.
ThreatFabric was also able to analyse an ongoing campaign, with thousands of downloads of Xenomorph in Spain and the United States.
This is not unusual as many other malware families have started expanding their area of interest across the Atlantic Ocean, including the most distributed MaaS (Malware-as-a-Service) families, such as Octo, Hydra, and Hook, and some of the most notorious privately operated families, such as Anatsa.
As a consequence to the Device Take-Over capabilities offered by these families, it is now easier than ever for criminals to move across different markets and perform fraud with little or no infrastructure required.
In this article, we will cover our latest research on Xenomorph, starting from a technical point of view, as well as address the distribution framework used by the Threat Actors behind this campaign, and its connections to other malware families, as well as Windows Desktop malware distributed side-by-side with it.
Xenomorph is Back Once Again
Xenomorph is a very advanced malware family, which runs the gamut from simple SMS manipulation to full device control, due to a very powerful Automated Transfer System (ATS) framework obtained via Remote Access capabilities offered by accessibility services privileges. This malware family has been in constant evolution since its discovery in early 2022, adding continuous features over the months.
Xenomorph uses overlays as its main way to obtain Personally Identifiable Information (PII) such as usernames, passwords, credit card numbers, and much more. The control server transmits to the bot a list of URLs containing the address from which the malware can retrieve the overlays for the infected device.
Such overlays are encrypted using a combination of an algorithm specific to Xenomorph and AES. Once decrypted, the overlay poses as login pages for the targeted applications:
Its main feature is the very flexible ATS Engine, which offers a vast quantity of actions that can be used and chained into sequences of operations, triggered when specific conditions are met. Threat Actors refer to these sets of actions as "modules" of their engine. The malware contains in its configuration a large set of modules, which mostly offer possibilities to manipulate the infected device's settings, for example by granting write permission to the malware or disabling Doze mode (a mode that conserves battery by restricting apps' access to network and CPU-intensive services).
The list of modules available in the malware's hardcoded and encrypted configuration is very similar to the previous variant of Xenomorph that we reported earlier this year. In this version, a new module was added, which is highlighted in bold in the table below:
| Module name | description | |
|
notificationAccess
|
Grant notification access
|
|
|
grantPermissions
|
Automatically grants itself all permissions required
|
|
|
dozeModeDisableTypeA
|
Disable Doze mode (Xiaomi MIUI)
-
version
1
|
|
|
dozeModeDisableTypeB
|
Disable Doze mode (Xiaomi MIUI)
-
version
2
|
|
|
dozeModeDisableTypeC
|
Disable Doze mode (Xiaomi MIUI)
-
version
3
|
|
|
dozeModeDisableTypeD
|
Disable Doze mode (Xiaomi MIUI)
-
version
4
|
|
|
disablePlayProtect
|
Disable Play Protect
|
|
|
xiaomiAdminAccess
|
Get Admin Access Xiaomi
|
|
|
restrictUninstall_SamsungApi29
|
Stop uninstall procedure
in
Samsung using API
29
(Android
10
)
|
|
|
dismissSettingsAlerts_Generic
|
Dismiss Settings Alerts
|
|
|
restrictReset_Generic
|
Stop device reset
|
|
|
restrictReset_ByContentVid_SamsungApi30
|
Stop device reset
in
Samsung using API
30
(Android
11
)
|
|
|
restrictUninstall_ByClassName
|
Stop uninstall procedure based on
Class
Article Link: Xenomorph is Back: New Campaigns Targeting Spain & USA |