- According to researchers, the attackers have recently begun distributing ExobotCompact/Octo to ensnare more victims.
- Besides this, researchers found evidence of attackers targeting desktops using RisePro stealer and LummaC2 stealer malware.
- These stealer malware were concealed within two files named “phoneoutsourcing.exe” and “647887023.png” and upon execution, enabled threat actors to steal credentials from victims’ systems.
The new Xenomorph variant
Although the new sample isn’t vastly different from previous versions, it comes with some new features indicating that its authors continue to revamp the malware.
- One of these is a new ‘mimic’ feature that gives the malware the capability to act as another application.
- Another notable feature is its sophisticated and flexible Automatic Transfer System (ATS) framework that allows the automatic transfer of funds from a compromised device to the one controlled by attackers.
- Finally, there’s a new ‘antisleep’ feature that allows malware operators to maintain prolonged engagement and communication with compromised devices.
The fact that Xenomorph is being distributed alongside malware stealers indicates a new activity that was not seen before. This could mean that the Android malware is being officially sold as a MaaS to actors or there may be a connection between threat actors behind each of these malware. With the emergence of this variant, researchers anticipate more attacks in the future.