HQ/EMEAFind out how we can help your business
The notorious Xenomorph malware has ended its hiatus by unleashing a new cybercriminal operation that targets bank customers across several nations. This malicious campaign allegedly started last month, posing a significant threat to online banking security.
Based on reports, the threat actors have deployed a modified variant of the Android malware, equipped with overlays targeting numerous crypto wallets while also targeting over 30 financial institutions in the United States and Portugal.
In addition, the numerous phishing pages that impersonate Chrome updates have propelled the resurgence of Xenomorph into the threat landscape. These fraudulent pages have baited unsuspecting victims, resulting in more than 3,000 downloads in Spain, followed by more than 100 downloads in both the United States and Portugal.
New research also uncovered evidence of the attackers expanding their attack scope to target desktop computers. They have employed the RisePro stealer and LummaC2 stealer malware and stored them within two files named “phoneoutsourcing.exe” and “647887023.png.” These malicious archives have allowed the malware operators to steal sensitive credentials from victims’ systems, making the impact of their campaign more severe.
The newly resurfaced Xenomorph malware is closely like its past versions.
The latest Xenomorph malware sample has not deviated from its previous versions. However, its developers have still included distinctive features that show their commitment to its evolution. One such feature is the ‘mimic’ capability, which allows the malware to impersonate another legitimate app and conceal its malicious intent from targeted users.
Another new capability is the Automatic Transfer System (ATS) framework. This system hastens the transfer of stolen funds from compromised devices to attacker-controlled servers. The malware developers included an antisleep feature in the new Xenomorph malware. This ability enables malware operators to maintain engagement and communication with the infected devices, potentially extending their persistence with their victims.
Xenomorph’s developers spread this malware with infostealers, hinting at a novel activity from the operation. Hence, the malware developers could have sold Xenomorph as a Malware-as-a-Service (MaaS) to different threat actors, or there may exist a connection between the attackers of these latest attacks.
The cybersecurity industry should also improve its defence capabilities since attackers constantly upgrade their infection tools to target numerous entities effectively.
