New XLoader botnet variant hides C&C servers using probability theory

The new malicious Botnet versions spotted by threat researchers

XLoader botnet new variantsMalware find a new method to hide the C&C servers

Malware analysts report the new variant of XLoader botnet malware that relies on probability theory for hiding its command and control servers. This makes the disruption of the malicious operation more difficult.[1] It is significantly harder to separate the particular operation and discover the real C&C server[2] when there are thousands of legitimate domains used by the same attacker as the smokescreen.

CheckPoint researchers reported[3] that threat actors use the same infrastructure without the risk of losing their nodes due to blocks on the identified IP addresses and reduce any chances of getting tracked and discovered this way. The infection was first discovered in 2020 and is a successor to Formbook and the cross-platform malware used for information gathering.

This malware can gather credentials from web browsers, and capture keystrokes, and screenshots. XLoader is capable of executing arbitrary commands and payloads. This piece was even included in the recent conflict between Russia and Ukraine-themed campaigns.[4] This geopolitical situation was used as a lure for the phishing emails aimed at high-ranking government officials in Ukraine. Emails delivered the XLoader via malicious email attachments.

The evolution of the XLoader malware

XLoader was first based on Formbook and targeted Windows and macOS operating systems. The more widespread campaigns and bigger numbers of attacks started in 2021. Researchers followed these activities and have sampled these newer samples of the virus. These variants have been compared to other versions and showed critical differences compared to previous malware versions.

The camouflage of the command and control servers was used before while the virus hid the real domain name in a configuration that included 63 decoys. That was with version 2.3. These more recent variants overwrite 8 out of a list of randomly selected domains from the list of 64 in the configurations. Those get new values in every communication attempt.

If the real C&C domain appears in the second part of the list, it is accessed in every cycle once in approximately every 80-90 seconds. If it appears in the first part of the list, it will be overwritten by another random domain name

These eight domains are chosen randomly, and one of them can be the real one. The probability is that a real C&C server is accessed in the next cycle, so 7/64 or 1/8. This is helping to disguise the real c2 servers from the security researchers and allowing the malware to run these operations undetected.

Evolving malware inner workings

The stealthy malware altered particular features, so the newer versions ensure that the first eight domains are overwritten with new random values before each cycle of communication while the steps are skipped to the real domain. Also, versions of the XLoader like 2.5 replaces three domains in the created list with decoy server addresses and the real C&C server domain. Threat actors have a goal to prevent detection of the real server.

Threat actors are constantly lookout for new methods and principles to evade detection. They are improving their tactics to further these malicious goals. Modifications allow to fool automated scripts and prevent the discovery of the real C&C servers, so malicious operations can work for a while undetected, and criminals perform those cyber attacks.

These findings are built on the previous report from the Zscaler team.[5] These investigations reveal various malware operation inner workings and communications protocols and show how criminals deploy their malware and conceal their servers, evading malware analysis systems.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References
Files
Software
Compare