According to the latest research, an enhanced version of malware XLoader has been found to take a probability-based approach to camouflage its command and control (C&C) infrastructure, according to the latest research.
Israeli cybersecurity firm Check Point said: “Now it’s become a smokescreen to separate the wheat from the pods and discover the real C&C servers among the thousands of legitimate domains used by Xloader as a smokescreen. make it significantly more difficult.”
First discovered in October 2020, XLLoader is a successor to Formbook and a cross-platform credential stealer capable of stealing login credentials from web browsers, capturing keystrokes and screenshots, and execute arbitrary commands and payloads.
More recently, the ongoing geopolitical conflict between Russia and Ukraine has proven to be a hotbed for the distribution of XLLoader with phishing emails aimed at high-ranking government officials in Ukraine.
The latest findings from Check Point build on an earlier report by Zscaler in January 2022, which revealed the inner workings of the communication protocol and encode ‘s C&C (or C2) network malwarenote the use of dummy servers to disguise the legitimate server and avoid system malware analysis.
“C2 communication occurs with decoy domains and real C2 servers, including sending stolen data from the victim,” the researchers explain. “Therefore, there is a possibility that a backup C2 could be hidden in decoy C2 domains and used as a backup communication channel in the event that the primary C2 domain is taken down.”
The stealth comes from the fact that the domain name for the real C&C server is hidden along with a configuration containing 64 fake domains, from which 16 are randomly selected, then replacing two of those 16. with a fake C&C address and a valid one.
What has changed in newer versions of XLLoader is that after selecting 16 decoy domains from the configuration, the first eight domains are overwritten with new random values before each communication cycle while taking steps to ignore the real domain.
Additionally, XLLoader 2.5 replaces the three domains in the generated list with two decoy server addresses and the actual C&C server domain. The ultimate goal is to prevent detection by the real C&C server, based on the latency between hits to the domains.
The fact that malware authors used principles of probability theory to gain access to a legitimate server demonstrates once again how threat actors are constantly adjusting their tactics to continue their attacks. continue their nefarious goals.
“These modifications achieve two goals at once: each node in the botnet maintains a stable retyping rate while fooling automated scripts and preventing retyping,” the Check Point researchers said. discover real C&C servers”.