New Variant of XLoader Targets Japanese Telcos And Banks For Phishing
We got a new variant of
XLoader via a link
http://wrssa[.]xyz from scam SMS message in mid-March 2020. It is a new version of
XLoader using Blogspot and Pinterest to deliver C&C address and phishing sites.
Back in 2018, Trend Micro published the first report about a new Android Spyware named
XLoader. Since then, there are many variants of the
XLoader sample that have been detected and labeled.
The sample we got (
d9adfdd2908fe30eeecb5443787d33d2dc9c4fe5c201665058261c6330af8c98) seems like a new variant of
XLoader. These are the things we found different from the old version.
In this sample, it skips the first 4 bytes in
/assets/1a6ddg0/1ua96mi and uses the fifth byte as a key to XOR the remaining bytes. Then decompress and Base64 decode its content to evade detection.
Targeted Phishing In Japan
Unlike other old versions of
XLoader, this sample has some phishing sites majorly targeted on Japanese users.
Xloader samples, it hides further payload on normal websites. This time is Pinterest. There are 3 Pinterest users containing phishing site’s URL, each one of them targeted on different carriers’ users in Japan.
|URL||Description||Carrier||Alert Message||Alert Message (EN)|
||kddi||お客様がご利用のキャリア決済が異常ログインの可能性がございます。本人認証設定で危険表示解除お願いします。||There is a possibility that the carrier billing used by the customer is abnormal login. Please cancel the danger display in the personal authentication settings.|
||docomo | ntt||お客様がキャリア決済にご登録のクレジットカードが外部によるアクセスを検知しました、セキュリティ強化更新手続きをお願いいたします。||The credit card registered by the customer for carrier billing has detected an external access. Please update your security procedure.|
|https://www.pinterest.com/ashlynfrancis7577/||http://||softbank||お客様がキャリア決済にご登録のクレジットカードが外部によるアクセスを検知しました、セキュリティ強化更新手続きをお願いいたします。||The credit card registered by the customer for carrier billing has detected an external access. Please update your security procedure.|
Furthermore, there are 8 Pinterest users are used to deliver different phishing site’s URL depends on what APPs installed on the user’s device.
|URL||Description||APP Package ID|
At the time of our research, these links had been reported as phishing sites and not available to access. We end up searching online to see if there was some historical data or not.
We found these Pastebin uploaded on Feb 29th, 2020 at 23:34 (UTC-4), they are whois info about
Both domains are registered at the same time at
2020-03-01T03:07:55Z with the same registrant email
email@example.com[.]jp and phone number
+86.15263254125 from China.
smbc.bk-securityo[.]com, there is a report on urlscan.io with a screenshot submitted on Jan 5th, 2020.
Abuse of New Social Media Accounts
In the previous versions,
XLoader has used many social media to hide its C&C address. In this sample, it used Blogspot to deliver the encoded C&C address in the username.
These 3 Blogspot users can be used by different locale’s user. But currently, they all have the same encoded C&C address:
|URL||Used By Locale|
Once it got the encoded C&C address from Blogspot, it will first be doing the Base64 decode then decrypt by DES algorithm (DES/CBC/PKCS5Padding) with hardcoded key
Ab5d1Q32. In the end, creating a WebSocket connection to the C&C address.
Although this sample gets a C&C address from Blogspot by default, there are other sites can be used to deliver the C&C address we discovered in reversed code.
Here is the list of these sources:
XLoader was named in 2018, it has continuously evolved its hidden methods and continued phishing attacks against different users. Users must be cautious, pay attention to the legality of URL links before entering sensitive information, or confirm whether relevant announcements have been posted on the company’s website. Avoid downloading and installing APPs from unknown sources.
|ws:// | wss://||