Threat Management, Malware

Researchers link XLoader and FakeSpy malware families to Yanbian Gang

Trend Micro researchers believe they have spotted a connection between the XLoader and FakeSpy malware families along with possible ties to the Yanbian Gang.

Researchers suspect both malware types are either being operated by the same threat group or that their operators are affiliated with each other as each malware family uses similar code to steal user information, according to a Nov. 26 blog post.

Both have been spotted posing as the legitimate app of a major Japanese home delivery service company with each version using the same ecosystem to deploy malware.

Malware samples from the families have also been downloaded from the same malicious domain and both malware families have been spotted using similar methods to hide their command and control addresses.

“Analyzing the code structure and behavior of XLoader and FakeSpy, we were able to correlate the latter’s samples to those of the Yanbian Gang, a Chinese cybercriminal group infamous for stealing money from account holders of South Korean banks,” researchers said in the post.

Researchers also learned from WHOIS that the registrants of FakeSpy and XLoader’s shared malicious Chinese domains for the fake apps of the Japanese home delivery service company and both have phone numbers that appear to originate from the Jilin Province, which was known as the Yanbian Gang members’ location.

“However, that is still not enough to conclude that the operators behind XLoader and FakeSpy are the same,” researchers said in The Evolution of XLoader and FakeSpy: Two Interconnected Android Malware Families report. “It could just be that two different sets of threat actors or groups are using the same service or infrastructure to deploy malware, or other plausible scenarios that are yet to be clarified.”

There have been a total of 384,748 victims from XLoader and FakeSpy attacks globally since October 2018 with the majority of victims being in South Korea and Japan. Overtime the malware families have both underwent several changes and modifications in their attack vectors, targets, behaviors and infrastructure to improve their strategies.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.