XLoader botnet now uses probability theory to hide its servers

Home/BOTNET, Internet Security, Malware, Security Advisory, Tips/XLoader botnet now uses probability theory to hide its servers

XLoader botnet now uses probability theory to hide its servers

Threat analysts have spotted a new version of the XLoader botnet malware that uses probability theory to hide its command and control servers, making it difficult to disrupt the malware’s operation.

XLoader botnet is an information-stealing malware targetting Windows and macOS operating systems. The upgraded malware, dubbed “XLoader,” is a successor to another well-known Windows-based info stealer called Formbook that’s known to vacuum credentials from various web browsers, capture screenshots, record keystrokes, and download and execute files from attacker-controlled domains.

XLoader 2.5 and 2.6

Researchers at Check Point, who have been following the evolution of the malware, have sampled and analyzed the more recent XLoader versions 2.5 and 2.6 and spotted some critical differences compared to previous versions.

In Formbook version 4.1, the malware developers added another level of stealth which also migrated to early versions of XLoader (up to 2.5). A domain name for the real C&C server was hidden among the 64 decoys, while the URI that was always thought to be an address of the C&C server became another decoy and could point to a legitimate website.

XLoader 2.5 introduced an additional code that replaces one more domain in the list with a fixed value. Interestingly, this value doesn’t appear anywhere else in the code and is not saved; its position in the list of 16 domains is chosen randomly. As the first 8 domains are overwritten with new values after the first hit, there is a 50% chance that this domain will be overwritten. However, we think that this is the domain which points to the real C&C server.

The domain selection scheme is as follows (overwriting random domains in the list-checkpoint):

Overwriting random domains in the list : Checkpoint

According to checkpoint

“If the real C&C domain appears in the second part of the list, it is accessed in every cycle once in approximately every 80-90 seconds. If it appears in the first part of the list, it will be overwritten by another random domain name,”

“The eight domains that overwrite the first part of the list are chosen randomly, and the real C&C domain might be one of them. In this case, the probability that a real C&C server will be accessed in the next cycle is 7/64 or 1/8 depending on the position of the “fake c2 (2)” domain.” This helps in disguising the real C2 servers from security analysts while keeping the impact on the malware’s operations at a minimum.

By implementing the Law of Large Numbers in the malware, they achieved two goals: not only did they disguise the real C&C servers in common sandbox emulations (which are usually short), but also kept up the effectiveness of the malware.

In version 2.6, Checkpoint noticed that XLoader removed this functionality from the 64-bit version of the payload, where the malware contacts the real C2 domain every time. However, in 32-bit systems, which are very common in virtual machine-hosted sandboxes used by threat analysts, XLoader maintains the new C2 obfuscation.

Check Point Protections

Check Point Provides zero day protection across Its Network, Cloud, Users and Access Security Solutions. Whether you’re in the cloud, the data center, or both, Check Point’s Network Security solutions simplify your security without impacting network performance, provide a unified approach for streamlined operations, and enable you to scale for continued business growth. 

SandBlast Network Protections:

         Trojan.WIN32.Formbook.A
         Trojan.WIN32.Formbook.B
         Trojan.WIN32.Formbook.C
         Trojan.WIN32.Formbook.D
         Trojan.WIN32.Formbook.E
         Trojan.WIN32.Formbook.F
         Trojan.WIN32.Formbook.G
         Trojan.WIN32.Formbook.H
         Trojan.WIN32.Formbook.I
         Trojan.WIN32.Formbook.J
         Trojan.WIN32.Formbook.K
         Trojan.WIN32.Formbook.L
         Trojan.WIN32.Formbook.M
         Trojan.WIN32.Formbook.N
         Trojan.WIN32.Formbook.O
         Trojan.WIN32.Formbook.P
         Trojan.WIN32.Formbook.Q
         Trojan.WIN32.Formbook.R 

Threat Emulation protections:

         Infostealer.Win32.Formbook.C
         Infostealer.Win32.Formbook.D
         Infostealer.Win32.Formbook.E
         Infostealer.Win32.Formbook.gl.F
         Infostealer.Win32.Formbook.TC
         Formbook.TC
         Infostealer.Win32.XLoader.TC
         XLoader.TC
         Trojan.Mac.XLoader.B 

Indicators of Compromise for botnet

XLoader samples

SHA256VersionC&C domain
c3bf0677dfcb32b35defb6650e1f81ccfa2080e934af6ef926fd378091a25fdb2.6travelsagas.com
77ed8c0589576ecaf87167bc9e178b15da57f7b341ea2fda624ecc5874b1464b2.6click-tokens.com
041992cc47137cb45d4e93658be392bb82cdc7ec53f959c6af4761d41dfc91602.6motarasag.com
e704bc09c7da872b5d430d641e9bd7c8c396cf79ea382870e138f88d166df4a82.6tumpiums.com
a7023d5b16691b20334955294a80c10d435e24048f6416d1b3af3c58d0b489542.5sasanos.com
862fba20ce7613356018ca44f665819522f862f040b34410a58892229aba6d9c2.5binbin-ads.com
d56e8522cf147e2b964a5a03e51a17d24d4cb3a4a20f36ef3fd3caeda0b105f32.5range4tis.com
59048fa3b523121866f79a8a2f7a3c9c7cf609a98be5a1ec296030de2353d5592.5cablinqee.com

XLoader botnet C&C servers

DomainIP
besasin09.com162.0.223.94
brasbux.com162.0.223.94
munixc.info162.0.223.94
ceser33.com162.0.223.94
ducer.info199.192.23.209
amenosu.com199.192.23.209
sanfireman.info199.192.23.209
trc-clicks.com199.192.25.68
bantasis.com199.192.25.68
brass-tip.info199.192.25.68
neurosise.com199.192.30.112
finsith.com199.192.30.112
gate334.com199.192.30.112
seo-clicks6.com199.192.30.247
tangodo9.info199.192.31.5
nu865ci.com199.192.31.5
rapibest.com199.192.31.5
recbi56ni.com199.192.31.5
heinousas.com66.29.143.39
pordges.com66.29.143.39
serenistin.com66.29.143.39
aminsfy.com66.29.155.250
dempius.com66.29.155.250
buge-link.com66.29.155.250
norllix.com66.29.155.250
sacremots.com66.29.155.250
beputis4.com68.65.121.46
bubu3cin.com162.0.214.189
highpacts.com162.0.216.5
finsits.com162.0.225.82
arabatas.com162.0.225.82
cutos2.com162.0.225.82
nropes.com162.0.233.84
gogoma3.com162.0.233.84
fraiuhs.com162.0.233.84
busipe6.com162.0.238.116
bupis44.info162.0.238.116
gesips.com162.0.238.116
ocvcoins.com162.0.238.238
gingure.com162.0.238.238
nifaji.com162.0.238.238
coalmanses.com162.213.253.206
fendoremi.com162.213.253.206
cusio3c.com162.213.253.206
nutri6si.com162.213.253.206
breskizci.com192.64.116.180
high-clicks.com192.64.116.180
gunnipes.com199.192.23.164
dugerits.com199.192.23.164
keepitng.com199.192.23.164
fellasies.com199.192.28.149
butuns.com199.192.28.149
bendisle.com66.29.155.108
ci-ohio.com66.29.155.108
minimi36.com66.29.155.108
pedorc.com68.65.121.125
cures8t.com68.65.121.125
mecitiris.com162.0.222.70
high-clicks2.com162.0.224.219
nerosbin.info162.0.231.105
b8ceex.com162.0.231.105
dashmints.com162.0.231.244
rap8b55d.com198.54.112.103
rastipponmkh.com199.192.17.24
blendeqes.com199.192.17.24
private-clicks.com199.192.26.170
abros88.com199.192.30.127
bracunis.com199.192.30.127
hugefries3.com199.192.30.127
saint444.com63.250.44.164
bra866.com66.29.130.171
hype-clicks.com162.0.223.146
moukse.com162.0.223.146
ammarus.com162.0.223.146
cablinqee.com162.0.223.146
funtabse.com162.0.223.146
gulebic.com162.0.223.146
catdanos.com199.188.206.146
noun-bug.com199.188.206.146
cobere9.com199.188.206.146
ranbix.com199.188.206.146
tes5ci.com199.188.206.146
blackbait6.com199.188.206.146

Follow us for more on Facebook , twitter, Instagram and LinkedIn

By | 2022-06-01T16:13:36+05:30 June 1st, 2022|BOTNET, Internet Security, Malware, Security Advisory, Tips|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!