New XLoader Botnet version uses new techniques to obscure its C2 servers

A new version of the XLoader botnet is implementing a new technique to obscure the Command and Control infrastructure.

Researchers from Check Point have discovered a new version of the XLoader botnet, which implements significant enhancements, such as a new technique to obscure the Command and Control infrastructure

XLoader has been observed since 2020, it is a very cheap malware strain that is based on the popular Formbook Windows malware. 

Check Point experts now state that it is significantly harder to determine the real C2 servers among thousands of legitimate domains used by the operators as a smokescreen.

The researchers pointed out that all XLoader samples have 64 domains and one URI in their configurations. XLoader and Formbook shares the same structure of configuration, the 64 domains from the malware configuration are actually decoys, used as a diverse strategy.

Starting with the Formbook version 4.1 and early versions of XLoader (up to 2.5) developers have hidden a domain name for the real C&C server among the 64 decoys, while the URI that was always thought to be an address of the C&C server became another decoy and is used to a legitimate website. The malicious code analyzed by the researchers randomly choose 16 decoy domains, two of which are replaced with the fake C&C server address and a real C&C server address. To make it harder the analysis, the real C2 server is accessed only after a long delay.

In the latest versions analyzed by Check Point, the malware first selects 16 decoy domains from the configuration, then the first eight domains are overwritten with new random values before each communication cycle while taking steps to skip the real domain.

What’s changed in the newer versions of XLoader is that after the selection of 16 decoy domains from the configuration, the first eight domains are overwritten with new random values before that were selected immediately after launch.

The experts also noticed that XLoader 2.5 replaces three domains in the created list with 2 decoys and the real C&C server domain

“In July 2021, we described the method of uncovering real C&C servers among the thousands of legitimate servers abused by XLoader v.2.3. The upgraded XLoader v.2.5 introduced significant changes in this algorithm using the power of the Law of Big Numbers from probability theory.” Check Point concludes. “These modifications achieve two goals at once: each node in the botnet maintains a steady knockback rate while fooling automated scripts and preventing the discovery of the real C&C servers. The latter indeed became more difficult, but not impossible.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]