According to the newest study, an improved variant of the XLoader malware has been detected using a probability-based strategy to hide its command-and-control (C&C) infrastructure.
“It’s now substantially more difficult to separate the wheat from the chaff and find the genuine C&C servers among the thousands of valid domains utilized by Xloader as a smokescreen,” according to Check Point, an Israeli cybersecurity firm.
XLoader is a successor to Formbook, a cross-platform information stealer capable of stealing credentials from web browsers, recording keystrokes and screenshots, and executing arbitrary instructions and payloads. It was first discovered in the wild in October 2020.
More recently, the current geopolitical confrontation between Russia and Ukraine has proven to be profitable fodder for spreading XLoader through phishing emails addressed at high-ranking Ukrainian government officials.
The current revelations from Check Point follow up on a January 2022 study from Zscaler that disclosed the inner workings of the malware’s C&C (or C2) network encryption and communication protocol, as well as its usage of decoy servers to hide the real server and elude malware analysis tools.
The researchers said that “the C2 connections occur between the fake domains and the genuine C2 server, including transmitting stolen data from the victim.” “A backup C2 may therefore be buried in the decoy C2 domains and utilized as a fallback communication route in the event that the principal C2 domain is taken down,” says the author.
The stealth derives from the fact that the genuine C&C server’s domain name is masked alongside a configuration including 64 decoy domains, 16 of which are randomly chosen, and two of those 16 are replaced with the false C&C address and the authentic address.
After selecting 16 decoy domains from the setup, the first eight domains are overwritten with fresh random values before each communication cycle, while actions are taken to avoid the genuine domain.
XLoader 2.5 also substitutes two decoy server addresses and the genuine C&C server domain for three of the domains in the produced list. The ultimate aim is to prevent the true C&C server from being discovered based on the time between domain visits.
The malware developers’ use of probability theory ideas to get access to the lawful server highlights how threat actors are continually fine-tuning their approaches to achieve their evil aims.
“These changes accomplish two purposes at once: each botnet node maintains a consistent knockback rate while tricking automated scripts and preventing the detection of the genuine C&C servers,” according to Check Point researchers.