Xenomorph malware has resurfaced in a new distribution campaign, with a broader target scope that now includes over 30 US banks and various financial institutions worldwide. Cybersecurity analysts at ThreatFabric have recently discovered this resurgence, which involves deceptive phishing webpages posing as Chrome updates to deceive victims into downloading malicious APKs.
Initially identified in February 2022, Xenomorph is notorious for using overlays to capture personally identifiable information (PII) like usernames and passwords. What sets this malware apart is its sophisticated automated transfer system (ATS) engine, which allows for a wide range of actions and modules, making it highly adaptable.
The latest campaign has shown a geographical expansion, with a significant number of Xenomorph downloads observed in Spain and the United States. This trend reflects a larger pattern among malware families targeting new markets across the Atlantic.
In terms of technical capabilities, Xenomorph has incorporated new features such as an anti-sleep function, a “mimic” mode for evasion, and the ability to simulate touch actions. Its targets now include Spain, Portugal, Italy, Canada, Belgium, multiple US financial institutions, and cryptocurrency wallets.
An interesting development is the pairing of Xenomorph with potent desktop stealers, raising speculation about potential ties between the threat actors behind these malware variants. There’s also a possibility that Xenomorph is now being offered as a Malware-as-a-Service (MaaS) for use alongside other malicious software families.
According to a recent advisory from ThreatFabric, this resurgence highlights cyber-criminals’ ongoing efforts to maximize their profits. The technical write-up states, “Xenomorph, after months of hiatus, is back, with distribution campaigns targeting regions of historical interest for this family. It remains an extremely dangerous Android Banking malware with a versatile and powerful ATS engine supporting multiple device manufacturers.”
The advisory includes a detailed appendix with essential information for identifying infections related to the Xenomorph malware. This resurgence serves as a stark reminder of the ever-evolving landscape of cyber threats and the need for robust cybersecurity measures to combat them.
Image credit: HI_Pictures / Shutterstock.com