Reliability is one of the main requirements for software, and malware is no exception. If a malware product is reliable enough to exfiltrate the data from the infected systems to the operator, then such a product will be in demand. The reverse is also true; if malware is not reliable and can’t perform its job with a decent success rate, nobody would want to use it.
We were surprised to discover what we thought was an anomaly inside XLoader for Windows. This successor to Formbook, one of the most prevalent data stealers, seemed to implement a counter-intuitive solution in its execution flow. The initial research showed that XLoader seemed to put the safety of its C&C infrastructure above the reliable data exfiltration: the knockback probability to the C&C server appeared to be only 22%. As this didn’t align with the assumption of how a prevalent malware should operate, we started to dig deeper to understand the malware execution flow in greater detail.
We discovered a clever evasion technique which was intended to fool sandboxes and researchers alike. We analyzed the algorithm behind the C&C communication and can now confirm that knockback probability to the C&C server is actually 100% – with some special nuances. In this article, we describe all the steps and little details which we encountered on the way.
We also share different methods on how to distinguish a real C&C server – only one of out of all 64 domains – present in any given XLoader sample.
As opposed to Formbook, its successor XLoader comes without C&C panel source code and is sold only by subscription. Thus, customers don’t have possibility to set up their own C&C servers. Instead, XLoader uses the centralized C&C infrastructure provided by the XLoader creators.
Stealth is the hallmark of both Formbook and XLoader C&C servers. The response to the XLoader check-in command can’t be distinguished from the one received from any legitimate host.
Usually, the C&C server response looks like a regular “404 Not Found” error page:
Figure 1 – XLoader C&C communication example.
The only situation where the response from the server is “200 OK” is when the server is ready to issue a command for a bot. In this case, the server responds to the check-in request with “200 OK” and the encrypted command in the response body. However, a legitimate HTTP server may also reply with “200 OK” status to an XLoader request.
This makes it really difficult to find a genuine XLoader C&C server.
A wolf in sheep’s clothing
Each XLoader and Formbook sample contains one “main” URI and a list of 64 domain names.
Previous researches related to Formbook supposed that the list of 64 domains consists of randomly selected decoys, and only the “main” URI from the configuration is used for C&C communication.
Figure 2 – Creating a list of domains for C&C communication in Formbook malware.
This assumption looks very logical given the fact that Formbook randomly chooses only 16 from list of 64 domains to search for C&C servers. In addition, one of the selected domain names is randomly replaced with the “main” one. Thus, the probability that after a restart the malware contacts a specific domain from this list is only 23%, while the “main” domain is accessed in 100% of the cases.
The XLoader configuration has the same structure as the Formbook configuration and contains the “main” URI and the list of 64 domains. Looking into the XLoader behavior, we used to think that it works the same way.
All of these domains are registered by different individuals and companies and mostly look legitimate. Some of the domains from this list are just parked.
If we decrypt the configuration in several XLoader samples, we see that the lists of 64 domains in these samples are completely different.
URIs from XLoader Sample (MD5: fa12196c8ad6922d874c0da9d675bf79)
URIs from XLoader Sample (MD5: 0929cb78a1a4291104f61d76954e3997)
Table 1 – Comparison of configuration of 2 XLoader samples.
The facts above convince us that these 64 domains are decoys, and the “main” URI is used to contact the C&C server.
However, after collecting hundreds of XLoader samples, we found an anomaly. Some domains appear multiple times in different samples.
Table 2 – Domains that appear multiple times in different XLoader samples.
We should emphasize that every researched sample contains exactly one domain name from the list above.
The domains in this list have several things in common. All the domains were registered less than a year ago at the Namecheap registrar, and are hosted at Namecheap hosting.
If we try to open any of them in a web browser we see the same page:
Figure 3 – Supposed XLoader C&C server root page.
We have reason to believe that this list contains real C&C server addresses.
The domain names in the list above look really suspicious due to the facts we’ve noted.
However, we needed proof that the list contains the addresses of the real XLoader C&C servers.
To determine if a host is a C&C server, we need to find the C&C panel hosted in it.
As XLoader is a successor of Formbook, we assumed that their C&C panels should be similar. Therefore, we looked into the leaked Formbook C&C panel source code. From it we learned that the Formbook panel is accessed using a URI with the following format:
However, the 404 error page generated by the script differs from the 404 page generated by the HTTP server itself:
Figure 4 – Difference between the error page generated by the XLoader script (on the left side) and the HTTP server (on the right).
This feature also allows us to find active and inactive campaigns. In active campaigns, the response is generated by the script. In inactive campaigns, the respose is generated by the server because the campaign folder doesn’t exist. We can assume that if an XLoader customer refuses to extend the subscription, the C&C owner removes the customer’s folder. The customer’s control over the bots will be lost in this case.
The last step is to finally prove that we found a C&C server. We need to find or guess the account name and get to the C&C panel login form. How do we do that?
We collected the nicknames of the underground forum users who contacted XLoader sellers. Then we tried to access the supposed C&C servers by the domain names from the collected list and using the known campaign IDs extracted from the XLoader samples and the collected nicknames:
After a few minutes, we saw the XLoader login form:
Figure 5 – XLoader C&C panel login page.
We also found that we could use the account name to access an open directory containing all the scripts:
Figure 6 – XLoader C&C server open directory.
One of the subfolders contains the encrypted payloads loaded to the victims:
Figure 7 – XLoader C&C server open directory.
It also appears that one server may host several independent panels under different paths.
Stealth at the expense of reliability?
Now we know that the address of the real C&C server is hidden among the decoy domains.
Looking into the behavior of the XLoader samples in sandboxes, we saw that in every launch the malware accesses 14 domains from the decoys list (as opposed to Formbook which accesses 15 domains) and one domain from the main URI, which also appeared to be a decoy. Therefore, the probability of accessing the real C&C server should be even less than 22%. Did the XLoader creators really decide to sacrifice reliability for stealth?
We were very surprised when, during a series of launches of the malware in a sandbox, we did not see communication with the real C&C server at all!
The black-box analysis in this case only confused us. Therefore, let’s look into the malware code. The part of the code that deals with the list of 64 domains is stored encrypted. This part of the code is decrypted and executed only when injected into the “explorer.exe” process.
One of the encrypted functions is responsible for choosing 16 domains from the malware configuration. Please note that this function choses exactly 16 (not 15!) domains from the list of 64 domains.
Figure 8 – Initializing a list of 16 decoy domains in XLoader malware.
Next, XLoader generates 2 different random numbers in the range between 0 and 15. One of them is used as a position for the fake C&C domain taken from the “main” URI, and the second one is for the position of the real C&C domain in the target list. For the real C&C domain, the hard-coded index 121 was used in the researched sample:
Figure 9 – XLoader replaces two domains in the created list with another decoy and the real C&C server domain.
Before choosing the position for the real C&C server in the target list, the malware checks if the real C&C domain index is already present in the list. Finally, the position of the real C&C server in the target list is stored for further use:
Figure 10 – XLoader stores the index of a real C&C server for further use as needed.
Another encrypted function is responsible for the C&C communication.
The chosen domains from the list are sequentially passed to this function in an infinite loop. Every time the function is called, it checks if the selected domain is a real C&C domain. The first 6 attempts to connect to the real C&C server are skipped.
Figure 11 – Timing evasion delays access to the real C&C server.
Thus, XLoader randomly choses 16 decoy domains, two of which are replaced with a fake C&C server address and a real C&C server address. The real C&C server is accessed after a long delay. As we used a short emulation timeout in our sandbox, we didn’t see connection attempts to the real C&C server.
Thus, the domain name selection scheme for C&C lookup is as follows:
Figure 12 – Creating a list of domains for C&C communication in XLoader malware.
Determining the C&C server address in XLoader network traffic
XLoader uses delays of 5 seconds between the connection attempts. Therefore, the first connection attempt to the real C&C server appears starting from 480 to 560 seconds after starting the malware.
Knowing that, we can easily determine the address of a C&C server for a sample by observing its network communication for at least 10 minutes.
Figure 13 – Determining the C&C server address in XLoader network traffic.
In the first step, we need to find the index of the skipped communication attempt. In the picture above, the index of the skipped request is 6. In the second step, we need to find the time when the communication to the C&C starts, and take the 6th request. This shows us the address of the XLoader C&C server.
We see that XLoader creators put a lot of time and effort into hiding their C&C infrastructure. From the timing evasion to masking real C&C servers, everything is dedicated to creating a maximum possible stealth level for the real C&C infrastructure.
Despite the fact that all XLoader servers are controlled centrally by a group of cybercriminals or even by an individual, the methods they use lead the command infrastructure to remain undetected for a very long time.
In addition, every Formbook and XLoader sample accesses 64 legitimate domains, and at first glance there is no way to distinguish malicious servers from legitimate. This may lead some security vendors to falsely identify such domains as malicious.
Check Point Protections
Check Point Provides Zero-Day Protection Across Its Network, Cloud, Users and Access Security Solutions, SandBlast provides the best zero-day protection while reducing security overhead.