Home>Blog>The Hacker News Headlines>New XLoader Botnet Version Using Probability Theory to Hide its C&C Servers
The Hacker News Headlines

New XLoader Botnet Version Using Probability Theory to Hide its C&C Servers

XLoader Botnet

An enhanced version of the XLoader malware has been spotted
adopting a probability-based approach to camouflage its
command-and-control (C&C) infrastructure, according to the
latest research.

“Now it is significantly harder to separate the wheat from the
chaff and discover the real C&C servers among thousands of
legitimate domains used by Xloader as a smokescreen,” Israeli
cybersecurity company Check Point said[1].

First spotted in the wild in October 2020, XLoader is a
successor to Formbook and a cross-platform information
stealer[2] that’s capable of
plundering credentials from web browsers, capturing keystrokes and
screenshots, and executing arbitrary commands and payloads.

CyberSecurity

More recently, the ongoing geopolitical conflict[3] between Russia and
Ukraine has proved to be a lucrative fodder for distributing
XLoader[4] by means of phishing emails[5]
aimed at high-ranking government officials in Ukraine.

The latest findings from Check Point build on a previous report
from Zscaler[6]
in January 2022, which revealed the inner workings of the malware’s
C&C (or C2) network encryption and communication protocol,
noting its use of decoy servers to conceal the legitimate server
and evade malware analysis systems.

XLoader Botnet

“The C2 communications occur with the decoy domains and the real
C2 server, including sending stolen data from the victim,” the
researchers explained. “Thus, there is a possibility that a backup
C2 can be hidden in the decoy C2 domains and be used as a fallback
communication channel in the event that the primary C2 domain is
taken down.”

The stealthiness comes from the fact the domain name for the
real C&C server is hidden alongside a configuration containing
64 decoy domains, from which 16 domains are randomly picked,
followed by replacing two of those 16 with the fake C&C address
and the authentic address.

CyberSecurity

What’s changed in the newer versions of XLoader is that after
the selection of 16 decoy domains from the configuration, the first
eight domains are overwritten with new random values before each
communication cycle while taking steps to skip the real domain.

Additionally, XLoader 2.5 replaces three of the domains in the
created list with two decoy server addresses and the real C&C
server domain. The ultimate goal is to prevent the detection of the
real C&C server, based on the delays between accesses to the
domains.

The fact that the malware authors have resorted to principles of
probability theory[7]
to access the legitimate server once again demonstrates how threat
actors constantly fine-tune their tactics to further their
nefarious goals.

“These modifications achieve two goals at once: each node in the
botnet maintains a steady knockback rate while fooling automated
scripts and preventing the discovery of the real C&C servers,”
Check Point researchers said.

References

  1. ^
    said
    (research.checkpoint.com)
  2. ^
    cross-platform information stealer
    (thehackernews.com)
  3. ^
    ongoing
    geopolitical conflict     (thehackernews.com)
  4. ^
    distributing XLoader
    (cert.gov.ua)
  5. ^
    phishing
    emails     (www.netskope.com)
  6. ^
    Zscaler
    (www.zscaler.com)
  7. ^
    probability theory
    (en.wikipedia.org)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.