Blog entry by Les Bell

Les Bell
by Les Bell - Thursday, September 28, 2023, 7:22 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Xenomorph Banking Trojan Morphs Again

Back in February last year, researchers at Amsterdam fraud risk firm ThreatFabric encountered a new Android banking trojan which they dubbed Xenomorph, due to its code being partially based on the earlier Alien trojan. At that time, many planned features of Xenomorph had not yet been implemented, suggesting that the malware was still in the early stages of development. However, it was still adequately functional, targeting the customers of 56 different European banks by using Accessibility Services privileges to pup up overlay templates in front of the bank app's genuine login screen, thereby capturing customer credentials. It also intercepted SMS messages and Notifications, allowing it to compromise two-factor authentication.

For this campaign, the trojan was distributed via malicious (trojan-horse) apps on the Google Play Store, but that technique has been less effective as Google has improved its detection of malware in the Play Store. Now, ThreatFabric has uncovered a new Xenomorph campaign, this time using phishing webpages to trick users into side-loading malicious .apk files, thus bypassing Google's filtering.

This new version of the banking trojan has a larger list of targets, including institutions in the US and Portugal, and is also able to target multiple crypto wallets. The ability to add new targets is based on the malware's template system; the C2 server updates a list of URL's from which the malware can fetch new overlays which can capture usernames, passwords, credit card numbers and other data. The overlays are encrypted using a combination of AES and a proprietary algorithm.

Xenomorph now also sports a wide range of modules which can manipulate the victim device when specific conditions are met, performing actions like getting admin access, setting itself as the default SMS handler and disabling Play Protect. The new variant adds some new capabilities, such as disabling the screen sleep mode, simulating a touch on a point on the screen, and launching an Activity from a legitimate service.

Investigation of the Xenomorph C2 infrastructure indicates that the same group is also targeting desktop computers with a number of other stealers.

ThreatFabric's report provides a detailed analysis, along with IOC's such as sample digests, C2 server names and a list of its targets.

ThreatFabric Research, Xenomorph Malware Strikes Again: Over 30+ US Banks Now Targeted, blog post, 25 September 2023. Available online at https://www.threatfabric.com/blogs/xenomorph.

Report Provides Details of PRC Threat Actors

A new report produced by the NSA, FBI, CISA, Japan's National Police Agency and National Center of Incident Readiness and Strategy for Cybersecurity details activities by cyber actors linked to the People's Republic of China. The advisory provides the tactics, techniques and procedures of this activity, which has been termed 'BlackTech' (a.k.a. Palmerworm, Circuit Panda and Radio Panda).

BlackTech has demonstrated capabilities such as modifying router firmware without detection and exploiting the router's domain trust relationships to pivot from international subsidiaries to headquarters in Japan and the US, which are the primary targets. The group uses custom malware, dual-use tools and living-off-the-land tactics to target government, industrial, tech, media, electronics and telecomms sectors. The report's authors recommend that multinational corporations review all subsidiary connections, verify access and consider moving to zero trust architectures to limit the extent of a possible BlacTech compromise.

NSA, FBI, et. al., People's Republic of China-Linked Cyber Actors Hide in Router Firmware, cybersecurity advisory, 27 September 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-270a.


Upcoming Courses

  • SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
  • SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: