An enhanced version of XLoader malware has been found to adopt a feasibility-based approach to disguise its command-and-control (C&C) infrastructure, according to the latest research.
“Now it is significantly harder to separate the wheat from the chaff and discover the real C&C servers in the thousands of legitimate domains used by Xloader as a smokescreen,” the Israeli cybersecurity company Check Point said. Says.
First seen in the wild in October 2020, XLoader is the successor to Formbook and a cross-platform data thief capable of stealing certificates from web browsers, capturing keystrokes and screenshots, and executing arbitrary commands and payloads.
Most recently, the ongoing geopolitical conflict between Russia and Ukraine has proved to be a lucrative food for them. Delivering Exloader By the way Phishing email Targets of high-ranking government officials in Ukraine.
The latest searches from the checkpoint are based on previous reports Zscaler In January 2022, which revealed the internal functions of the malware’s C&C (or C2) network encryption and communication protocols, it referred to the use of decoy servers to hide legitimate servers and to avoid malware analysis systems.
“C2 communications occur with the decay domain and the original C2 server, including the sending of stolen data from the victim,” the researchers explained. “Thus, there is a possibility that a backup C2 decay may be hidden in the C2 domain and used as a fallback communication channel in case the primary C2 domain is removed.”
Privacy The domain name for the original C&C server comes from hiding with a configuration consisting of 64 decoy domains, from which 16 domains are randomly selected, then two of the 16 are replaced with fake C&C addresses and authentic addresses.
What has changed in the new version of XLoader is that after selecting 16 decoy domains from the configuration, the first eight domains are overwritten with new random values before each contact cycle while taking steps to avoid the actual domain.
Additionally, XLoader 2.5 replaces the three domains in the created list with two decoy server addresses and the original C&C server domain. The ultimate goal is to prevent detection of actual C&C servers, based on delays in domain access.
It is true that malware authors have adopted the policy Probability theory Accessing legitimate servers again shows how threat actors fine-tune their strategies to advance their nefarious goals.
“These changes serve two purposes at once: each node in the botnet maintains a constant knockback rate while fooling automated scripts and preventing the discovery of real C&C servers,” said Checkpoint researchers.
