New Variant of XLoader Targets Japanese Telcos And Banks For Phishing

Photo by Rami Al-zayat on Unsplash

We got a new variant of XLoader via a link http://wrssa[.]xyz from scam SMS message in mid-March 2020. It is a new version of XLoader using Blogspot and Pinterest to deliver C&C address and phishing sites.

Figure 1. Screenshot of scam SMS message.

Back in 2018, Trend Micro published the first report about a new Android Spyware named XLoader. Since then, there are many variants of the XLoader sample that have been detected and labeled.

The sample we got (d9adfdd2908fe30eeecb5443787d33d2dc9c4fe5c201665058261c6330af8c98) seems like a new variant of XLoader. These are the things we found different from the old version.

Payload Encoding

In this sample, it skips the first 4 bytes in /assets/1a6ddg0/1ua96mi and uses the fifth byte as a key to XOR the remaining bytes. Then decompress and Base64 decode its content to evade detection.

Figure 1. The code snippet of decoding and decompressing payload file.
Figure 2. The code snippet of writing Base64 decoded content to file.

Targeted Phishing In Japan

Unlike other old versions of XLoader, this sample has some phishing sites majorly targeted on Japanese users.

Like other Xloader samples, it hides further payload on normal websites. This time is Pinterest. There are 3 Pinterest users containing phishing site’s URL, each one of them targeted on different carriers’ users in Japan.

Figure 3. The screenshot of one Pinterest user.

Furthermore, there are 8 Pinterest users are used to deliver different phishing site’s URL depends on what APPs installed on the user’s device.

At the time of our research, these links had been reported as phishing sites and not available to access. We end up searching online to see if there was some historical data or not.

We found these Pastebin uploaded on Feb 29th, 2020 at 23:34 (UTC-4), they are whois info about au-hha[.]com and nttdocomo-hha[.]com.

• https://pastebin.com/5yBLXbQ4
• https://pastebin.com/sKuGuG2B

Both domains are registered at the same time at 2020-03-01T03:07:55Z with the same registrant email [email protected][.]jp and phone number +86.15263254125 from China.

For smbc.bk-securityo[.]com, there is a report on urlscan.io with a screenshot submitted on Jan 5th, 2020.

Figure 4. Screenshot from https://urlscan.io/screenshots/5d2d5703-0d05-4343-b601-e7cbe66befa5.png

Abuse of New Social Media Accounts

In the previous versions, XLoader has used many social media to hide its C&C address. In this sample, it used Blogspot to deliver the encoded C&C address in the username.
Figure 5. The code snippet of default Blogspot accounts.

These 3 Blogspot users can be used by different locale’s user. But currently, they all have the same encoded C&C address: 7OlknUJ8RECnMJ0O65Ah8tZJNVjStSHG.
Figure 6. Screenshot of Blogspot user “tuyolh”
Figure 7. Screenshot of Blogspot user “tyhdaou”
Figure 8. Screenshot of Blogspot user “ajlkhadsflg”

Once it got the encoded C&C address from Blogspot, it will first be doing the Base64 decode then decrypt by DES algorithm (DES/CBC/PKCS5Padding) with hardcoded key Ab5d1Q32. In the end, creating a WebSocket connection to the C&C address.

Although this sample gets a C&C address from Blogspot by default, there are other sites can be used to deliver the C&C address we discovered in reversed code.
Figure 9. The code snippet about different source.

Here is the list of these sources:

Conclusion

Since XLoader was named in 2018, it has continuously evolved its hidden methods and continued phishing attacks against different users. Users must be cautious, pay attention to the legality of URL links before entering sensitive information, or confirm whether relevant announcements have been posted on the company’s website. Avoid downloading and installing APPs from unknown sources.

IoCs

Sample

Malicious Accounts

C&C address