Xloader Botnet
Breanna Mangels
"Now it is significantly harder to separate the wheat from the chaff and discover the real C&C servers among thousands of legitimate domains used by Xloader as a smokescreen," Israeli cybersecurity company Check Point said.
First spotted in the wild in October 2020, XLoader is a successor to Formbook and a cross-platform information stealer that's capable of plundering credentials from web browsers, capturing keystrokes and screenshots, and executing arbitrary commands and payloads.
More recently, the ongoing geopolitical conflict between Russia and Ukraine has proved to be a lucrative fodder for distributing XLoader by means of phishing emails aimed at high-ranking government officials in Ukraine.
The latest findings from Check Point build on a previous report from Zscaler in January 2022, which revealed the inner workings of the malware's C&C (or C2) network encryption and communication protocol, noting its use of decoy servers to conceal the legitimate server and evade malware analysis systems.
"The C2 communications occur with the decoy domains and the real C2 server, including sending stolen data from the victim," the researchers explained. "Thus, there is a possibility that a backup C2 can be hidden in the decoy C2 domains and be used as a fallback communication channel in the event that the primary C2 domain is taken down."
The stealthiness comes from the fact the domain name for the real C&C server is hidden alongside a configuration containing 64 decoy domains, from which 16 domains are randomly picked, followed by replacing two of those 16 with the fake C&C address and the authentic address.
What's changed in the newer versions of XLoader is that after the selection of 16 decoy domains from the configuration, the first eight domains are overwritten with new random values before each communication cycle while taking steps to skip the real domain.
Additionally, XLoader 2.5 replaces three of the domains in the created list with two decoy server addresses and the real C&C server domain. The ultimate goal is to prevent the detection of the real C&C server, based on the delays between accesses to the domains.
The fact that the malware authors have resorted to principles of probability theory to access the legitimate server once again demonstrates how threat actors constantly fine-tune their tactics to further their nefarious goals.
"These modifications achieve two goals at once: each node in the botnet maintains a steady knockback rate while fooling automated scripts and preventing the discovery of the real C&C servers," Check Point researchers said.
In July 2021, CPR released a series of three publications covering different aspects of how the Formbook and XLoader malware families function. We described how XLoader emerged in the Darknet community to fill the empty niche after Formbook sales were abruptly stopped by its author. We did a deep technical analysis followed by a description of XLoader for macOS along with common points and differences in how both malware families conceal the heart of the whole operation, the Command-and-Control (C&C) infrastructure. However, the world does not stand still, and this applies to the malware cyber-world as well.
The Formbook malware has not been updated for quite a long time. The latest version of this stealer is 4.1, and we already observed samples of this version in far 2020. This gives us reason to believe that Formbook has been discontinued.
In Formbook version 4.1, the malware developers added another level of stealth which also migrated to early versions of XLoader (up to 2.5). A domain name for the real C&C server was hidden among the 64 decoys, while the URI that was always thought to be an address of the C&C server became another decoy and could point to a legitimate website. The malware of versions mentioned above randomly choose 16 decoy domains, two of which are replaced with the fake C&C server address and a real C&C server address. The real C&C server is accessed after a long delay.
However, when emulating samples in a sandbox, we noticed a change. With a long emulation time, the sample accessed more than 16 domains, unlike earlier versions. This behavior forced us to put aside automated analysis tools and arm ourselves with a disassembler. We soon discovered the part of the code responsible for the detected anomaly. As in the previous versions, XLoader first creates a list of 16 domains that are randomly selected from the 64 domains stored in the configuration. After each attempt to access the selected 16 domains, the following code is executed:
Also, most of them appear only once in various configurations, making them the underdogs in our preliminary bet for the real C&C candidates. From our previous research, we remembered that the number of real C&C servers was relatively small (we found less than 100 C&C servers among 90,000 domains used by the malware), and they were reused in many of the campaigns of different XLoader customers.
We then collected IP addresses of all presumably malicious hosts and root pages from the corresponding websites. It appeared that all the domains point to a few IP address ranges, all of which belong to Namecheap. Some domains point to the same IP addresses.
As the first 8 domains are overwritten with new values after the first hit, there is a 50% chance that this domain will be overwritten. However, we think that this is the domain which points to the real C&C server.
If the real C&C domain appears in the second part of the list, it is accessed in every cycle once in approximately 80-90 seconds. If it appears in the first part of the list, it will be overwritten by another random domain name.
The malware authors once again proved their high technical skills and out-of-the-box approach. By implementing the Law of Large Numbers in the malware, they achieved two goals: not only did they disguise the real C&C servers in common sandbox emulations (which are usually short), but also kept up the effectiveness of the malware.
In the table below we provide the probabilities of the real C&C server not being accessed again within a given time-frame. We take into consideration the lowest possible probability for the server to appear in any given cycle, which is 7/64, as well as the longest possible pause between two cycles, which is 90 seconds.
We see from the table that out of one million launches, only in one case the malware might not access the real C&C server in a period of 2.5 hours. In reality, the probability of such an event is even lower as a cycle time period can vary between 80 and 90 seconds, and the probability of the real C&C server to show up in a cycle may be higher and equal to 1/8.
Even 9 minutes are enough to fool the emulators and prevent the detection of the real C&C server, based on the delays between accesses to the domains. At the same time, the regular knockback period maintained by the malware with the help of probability theory allows it to keep victims as botnet parts without sacrificing the functionality.
On May 5, 2022, we spotted a new version of XLoader malware in-the-wild. The main update in XLoader v2.6 concerns the network communication. The random index of the real C&C server is now saved in the malware state structure:
However, this logic is activated only when the malware runs in an x64 system. When it runs in an x86 system, the variable real_c2_index stores the same value as is stored in the fake_c2_index. This results in the real C&C server being accessed with the same probability as any of the 63 decoys while running in x86 system. This looks like an evasion technique, as currently a lot of sandboxes still use x86 virtual machines.
To stay in business, malware actors have to stay in the forefront of progress and invent new tricks to prolong the lives of their creations as long as possible. In the case of XLoader malware, we see a vivid example of such a process.
In July 2021, we described the method of uncovering real C&C servers among the thousands of legitimate servers abused by XLoader v.2.3. The upgraded XLoader v.2.5 introduced significant changes in this algorithm using the power of the Law of Big Numbers from probability theory. These modifications achieve two goals at once: each node in the botnet maintains a steady knockback rate while fooling automated scripts and preventing the discovery of the real C&C servers. The latter indeed became more difficult, but not impossible.
A keylogger malware originally known as FormBook for Windows has transitioned into a new version known as the XLoader. This new variant now targets Mac users and dupes them to access passwords and the clipboard, and even records keystrokes and screenshots.
This malware is currently part of an underground offering as a botnet loader service and is used to recover passwords from web browsers as well as some email clients. The biggest problem with XLoader is that it is very lightweight and therefore often goes undetected on the infected device.
XLoader was primarily designed to exfiltrate data. This malware is essentially a keylogger that can record keystrokes, take screenshots, and obtain information stored inside the clipboard (copy/ paste buffer). It is also capable of extracting usernames and passwords from most browsers, messengers, and email clients.
To make matters worse, the new variant of XLoader is now available as Malware-as-a-Service (MaaS) which means anyone can buy XLoader to steal information. At the time of writing, it costs around $49 to use it for macOS for one month.
To summarize, XLoader can be an extremely dangerous software that can cause multiple system infections. It can make the victims suffer huge financial losses and struggle with privacy issues and can also lead to identity theft.
The best protection against the XLoader is being wary of opening email attachments or downloading software from suspicious sources. Scanning each installation package with robust antivirus software before using it is also a helpful practice.
c80f0f1006