[MART] - Daily Diary #522 - Multiplatform XLoader Hiding C&C Addresses Using Probability

Tue May 31 21:09:18 UTC 2022

Hello,
I hope everyone is doing well!

Below is the entry for today.

05/31/2022 - Diary entry #522

First disclosed in January 2021, XLoader is a botnet/information stealer. This malware is often found in e-mail spam messages, in the attachments inside a zip file or as a second-stage payload started by an Excel macro. XLoader is also offered as a malware-as-a-service platform, where unskilled attackers can rent the platform for less than $50 a month.

XLoader is a rebranding of Formbook, briefly mentioned in our Daily Diaries #438, #428, #387 and #381. Besides the additional features, XLoader has the capability of attacking both Windows and MacOS devices. To achieve this, XLoader is packed in a Java executable, through a tool named XBinder. Among its capabilities, XLoader is capable of harvesting credentials from the browser, take screenshots, monitor mouse and keystrokes, and download and execute additional payloads. This versatility makes XLoader a popular choice as a first-stage for many other malware campaigns.

This month a new version of XLoader was disclosed, using a curious anti-analysis technique: To disguise the C&C server, it camouflages in a list with 63 decoy domains. The malware then creates a list with 8 random domains from that list and tries to access them at random. After a few cycles, new domains are inserted in the sample list and so on. Relying on probability makes the malware less likely to trigger the real collection while in an analysis controlled environment, while in the real world there is 99% of chance of it finding the real C&C address under an hour of execution.

Using decoy domains is not a new technique, and XLoader was known to use decoy C&C addresses before, but this technique is an example of how creative threat actors can be to evade automated analysis. Security Researchers need to take those techniques when analysing a threat, before concluding its offline.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Manager, MART
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220531/d563e7e0/attachment.htm>