Threat analysts have spotted a new version of the XLoader botnet malware that uses probability theory to hide its command and control servers, making it difficult to disrupt the malware’s operation.
XLoader botnet is an information-stealing malware targetting Windows and macOS operating systems. The upgraded malware, dubbed “XLoader,” is a successor to another well-known Windows-based info stealer called Formbook that’s known to vacuum credentials from various web browsers, capture screenshots, record keystrokes, and download and execute files from attacker-controlled domains.
XLoader 2.5 and 2.6
Researchers at Check Point, who have been following the evolution of the malware, have sampled and analyzed the more recent XLoader versions 2.5 and 2.6 and spotted some critical differences compared to previous versions.
In Formbook version 4.1, the malware developers added another level of stealth which also migrated to early versions of XLoader (up to 2.5). A domain name for the real C&C server was hidden among the 64 decoys, while the URI that was always thought to be an address of the C&C server became another decoy and could point to a legitimate website.
XLoader 2.5 introduced an additional code that replaces one more domain in the list with a fixed value. Interestingly, this value doesn’t appear anywhere else in the code and is not saved; its position in the list of 16 domains is chosen randomly. As the first 8 domains are overwritten with new values after the first hit, there is a 50% chance that this domain will be overwritten. However, we think that this is the domain which points to the real C&C server.
The domain selection scheme is as follows (overwriting random domains in the list-checkpoint):
According to checkpoint
“If the real C&C domain appears in the second part of the list, it is accessed in every cycle once in approximately every 80-90 seconds. If it appears in the first part of the list, it will be overwritten by another random domain name,”
“The eight domains that overwrite the first part of the list are chosen randomly, and the real C&C domain might be one of them. In this case, the probability that a real C&C server will be accessed in the next cycle is 7/64 or 1/8 depending on the position of the “fake c2 (2)” domain.” This helps in disguising the real C2 servers from security analysts while keeping the impact on the malware’s operations at a minimum.
By implementing the Law of Large Numbers in the malware, they achieved two goals: not only did they disguise the real C&C servers in common sandbox emulations (which are usually short), but also kept up the effectiveness of the malware.
In version 2.6, Checkpoint noticed that XLoader removed this functionality from the 64-bit version of the payload, where the malware contacts the real C2 domain every time. However, in 32-bit systems, which are very common in virtual machine-hosted sandboxes used by threat analysts, XLoader maintains the new C2 obfuscation.
Check Point Protections
Check Point Provides zero day protection across Its Network, Cloud, Users and Access Security Solutions. Whether you’re in the cloud, the data center, or both, Check Point’s Network Security solutions simplify your security without impacting network performance, provide a unified approach for streamlined operations, and enable you to scale for continued business growth.
SandBlast Network Protections:
Trojan.WIN32.Formbook.A Trojan.WIN32.Formbook.B Trojan.WIN32.Formbook.C Trojan.WIN32.Formbook.D Trojan.WIN32.Formbook.E Trojan.WIN32.Formbook.F Trojan.WIN32.Formbook.G Trojan.WIN32.Formbook.H Trojan.WIN32.Formbook.I Trojan.WIN32.Formbook.J Trojan.WIN32.Formbook.K Trojan.WIN32.Formbook.L Trojan.WIN32.Formbook.M Trojan.WIN32.Formbook.N Trojan.WIN32.Formbook.O Trojan.WIN32.Formbook.P Trojan.WIN32.Formbook.Q Trojan.WIN32.Formbook.R
Threat Emulation protections:
Infostealer.Win32.Formbook.C Infostealer.Win32.Formbook.D Infostealer.Win32.Formbook.E Infostealer.Win32.Formbook.gl.F Infostealer.Win32.Formbook.TC Formbook.TC Infostealer.Win32.XLoader.TC XLoader.TC Trojan.Mac.XLoader.B
Indicators of Compromise for botnet
XLoader botnet C&C servers