9/13/2023 0 Comments Download xenomorph mantisOur analysis indicates that the TA has designed this malicious application to host on the Google Play Store as a hostile downloader to distribute the Xenomorph malware. The TA has added an extra module that checks whether the malicious application is present on the Google Play Store and downloads the Xenomorph malware. The new variant of Masterfred acts as a hostile downloader instead of performing banking Trojan activities. Figure 2 – Comparison of New and Old MasterFred variants The new MasterFred variant is missing the banking overlay HTML file present in the assets folder, as shown below. In this case, the malware uses Gymdrop dropper to download an advanced Android Banking Trojan to infect the victim’s device. ![]() Various malware families use the Dropper as a Service (DaaS) model to bypass the security mechanisms implemented by the Google Play Store. ![]() Figure 1 – Hadoken Security Postīased on our detailed investigation, the sample was identified as a new variant of MasterFred, which uses Gymdrop to download Xenomorph Android Banking Trojan. The Threat Actor (TA) known as Hadoken Security (a group of malware developers) is behind the development of this MasterFred malware, including Xenomorph, MaqSpy RAT, and Gymdrop dropper. While conducting a routine threat hunting exercise, CRL came across a Twitter post where the security researcher mentioned the sample of MasterFred hosted on opendir malicious website hxxp://repo.had0k3ntech. Cyble Research Labs (CRL) published a detailed technical analysis of MasterFred after its discovery, and we have been closely monitoring the activity of evolving Banking Trojans. ![]() MasterFred was discovered in November 2021 as an undetected new variant of the Android Banking Trojans targeting Poland and Turkey. Hostile Downloader Masquerading As “QR Scanner” Application
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |