Stealth is never enough, or Revealing Formbook successor’s C&C infrastructure

August 2, 2021

By: Alexey Bukhteyev & Raman Ladutska

Reliability is one of the main requirements for software, and malware is no exception. If a malware product is reliable enough to exfiltrate the data from the infected systems to the operator, then such a product will be in demand. The reverse is also true; if malware is not reliable and can’t perform its job with a decent success rate, nobody would want to use it.

We were surprised to discover what we thought was an anomaly inside XLoader for Windows. This successor to Formbook, one of the most prevalent data stealers, seemed to implement a counter-intuitive solution in its execution flow. The initial research showed that XLoader seemed to put the safety of its C&C infrastructure above the reliable data exfiltration: the knockback probability to the C&C server appeared to be only 22%. As this didn’t align with the assumption of how a prevalent malware should operate, we started to dig deeper to understand the malware execution flow in greater detail.

We discovered a clever evasion technique which was intended to fool sandboxes and researchers alike. We analyzed the algorithm behind the C&C communication and can now confirm that knockback probability to the C&C server is actually 100% – with some special nuances. In this article, we describe all the steps and little details which we encountered on the way.

We also share different methods on how to distinguish a real C&C server – only one of out of all 64 domains – present in any given XLoader sample.

Stealth C2

As opposed to Formbook, its successor XLoader comes without C&C panel source code and is sold only by subscription. Thus, customers don’t have possibility to set up their own C&C servers. Instead, XLoader uses the centralized C&C infrastructure provided by the XLoader creators.

Stealth is the hallmark of both Formbook and XLoader C&C servers. The response to the XLoader check-in command can’t be distinguished from the one received from any legitimate host.

Usually, the C&C server response looks like a regular “404 Not Found” error page:

XLoader C&C communication example

Figure 1 – XLoader C&C communication example.

The only situation where the response from the server is “200 OK” is when the server is ready to issue a command for a bot. In this case, the server responds to the check-in request with “200 OK” and the encrypted command in the response body. However, a legitimate HTTP server may also reply with “200 OK” status to an XLoader request.

This makes it really difficult to find a genuine XLoader C&C server.

A wolf in sheep’s clothing

Each XLoader and Formbook sample contains one “main” URI and a list of 64 domain names.

Previous researches related to Formbook supposed that the list of 64 domains consists of randomly selected decoys, and only the “main” URI from the configuration is used for C&C communication.

Creating a list of domains for C&C communication in Formbook malware

Figure 2 – Creating a list of domains for C&C communication in Formbook malware.

This assumption looks very logical given the fact that Formbook randomly chooses only 16 from list of 64 domains to search for C&C servers. In addition, one of the selected domain names is randomly replaced with the “main” one. Thus, the probability that after a restart the malware contacts a specific domain from this list is only 23%, while the “main” domain is accessed in 100% of the cases.

The XLoader configuration has the same structure as the Formbook configuration and contains the “main” URI and the list of 64 domains. Looking into the XLoader behavior, we used to think that it works the same way.

All of these domains are registered by different individuals and companies and mostly look legitimate. Some of the domains from this list are just parked.

If we decrypt the configuration in several XLoader samples, we see that the lists of 64 domains in these samples are completely different.

URIs from XLoader Sample (MD5:
fa12196c8ad6922d874c0da9d675bf79)
URIs from XLoader Sample (MD5:
0929cb78a1a4291104f61d76954e3997)
www.laserlaser[.]party/vfm2/ www.livedishdirect[.]com/vfm2/
www.citestaccnt1597664033[.]com/vfm2/ www.stayathomestaycations[.]site/vfm2/
www.jhwanbao[.]com/vfm2/ www.new-t7[.]com/vfm2/
www.sandzconsult[.]com/vfm2/ www.counterpointux[.]com/vfm2/
www.zionmakers[.]com/vfm2/ www.allerganacademy[.]sucks/vfm2/
www.all-facts[.]com/vfm2/ www.grialca[.]com/vfm2/
www.ayurved[.]wiki/vfm2/ www.septieme7[.]com/vfm2/
www.ryohei-miyazaki[.]com/vfm2/ www.modeleggings[.]com/vfm2/

Table 1 – Comparison of configuration of 2 XLoader samples.

The facts above convince us that these 64 domains are decoys, and the “main” URI is used to contact the C&C server.

However, after collecting hundreds of XLoader samples, we found an anomaly. Some domains appear multiple times in different samples.

Count Domain IP Registered at
21 www.maglex[.]info 162.0.214.58 2021-01-12T14:51:17Z
16 www.contex3[.]info 162.0.214.58 2021-02-11T13:06:13Z
10 www.tomrings[.]com 162.0.214.58 2021-05-08T07:36:01Z
11 www.bunies3[.]com 162.0.214.62 2021-05-02T09:10:20Z
18 www.midgex[.]info 162.0.216.125 2021-03-09T17:25:14Z
15 www.magetu[.]info 162.0.216.35 2021-03-16T09:14:35Z
13 www.cunerier[.]com 162.0.219.212 2021-04-27T12:25:33Z
22 www.curtex[.]info 162.0.222.228 2021-02-24T21:33:24Z
11 www.mex33[.]info 162.0.223.226 2021-03-23T15:23:53Z
4 www.solisdq[.]info 162.0.223.226 2020-09-14T18:37:20Z
33 www.bostonm[.]info 162.0.230.164 2021-01-24T07:21:46Z
18 www.cowbex[.]info 162.0.230.164 2021-02-02T15:46:51Z
14 www.bingent[.]info 162.0.238.245 2021-01-10T16:32:13Z
15 www.curiget[.]xyz 162.0.239.203 2021-04-02T19:49:36.0Z
     

Table 2 – Domains that appear multiple times in different XLoader samples.

We should emphasize that every researched sample contains exactly one domain name from the list above.

The domains in this list have several things in common. All the domains were registered less than a year ago at the Namecheap registrar, and are hosted at Namecheap hosting.

If we try to open any of them in a web browser we see the same page:

Figure 3 – Supposed XLoader C&C server root page.

We have reason to believe that this list contains real C&C server addresses.

C&C Panel

The domain names in the list above look really suspicious due to the facts we’ve noted.

However, we needed proof that the list contains the addresses of the real XLoader C&C servers.

To determine if a host is a C&C server, we need to find the C&C panel hosted in it.

As XLoader is a successor of Formbook, we assumed that their C&C panels should be similar. Therefore, we looked into the leaked Formbook C&C panel source code. From it we learned that the Formbook panel is accessed using a URI with the following format:

https://c2-domain/{campaign_id}/{script_name}.php?account={account_name}

The account name is taken from the configuration:

$username    = "admin"; //Login Username
$password    = "admin"; //Login Password
$accountName = "tester"; //Path Account Name
$accountNumber = "XXXX"; //Your Bin's Account Number

The C&C panel PHP script generates the 404 error page if we access it without arguments or with the wrong account_name value:

//DIE //////////////////////////////////////////////////////////////////////////
echo $fb->str['p404']; exit();

However, the 404 error page generated by the script differs from the 404 page generated by the HTTP server itself:

Difference between the error page generated by the XLoader script and the HTTP server

Figure 4 – Difference between the error page generated by the XLoader script (on the left side) and the HTTP server (on the right).

This feature also allows us to find active and inactive campaigns. In active campaigns, the response is generated by the script. In inactive campaigns, the respose is generated by the server because the campaign folder doesn’t exist. We can assume that if an XLoader customer refuses to extend the subscription, the C&C owner removes the customer’s folder. The customer’s control over the bots will be lost in this case.

The last step is to finally prove that we found a C&C server. We need to find or guess the account name and get to the C&C panel login form. How do we do that?

We collected the nicknames of the underground forum users who contacted XLoader sellers. Then we tried to access the supposed C&C servers by the domain names from the collected list and using the known campaign IDs extracted from the XLoader samples and the collected nicknames:

https://xloader-c2-domain/{campaign_id}/index.php?account={nickname}

After a few minutes, we saw the XLoader login form:

XLoader C&C panel login page

Figure 5 – XLoader C&C panel login page.

We also found that we could use the account name to access an open directory containing all the scripts:

XLoader C&C server open directory

Figure 6 – XLoader C&C server open directory.

One of the subfolders contains the encrypted payloads loaded to the victims:

XLoader C&C server open directory

Figure 7 – XLoader C&C server open directory.

It also appears that one server may host several independent panels under different paths.

Stealth at the expense of reliability?

Now we know that the address of the real C&C server is hidden among the decoy domains.

Looking into the behavior of the XLoader samples in sandboxes, we saw that in every launch the malware accesses 14 domains from the decoys list (as opposed to Formbook which accesses 15 domains) and one domain from the main URI, which also appeared to be a decoy. Therefore, the probability of accessing the real C&C server should be even less than 22%. Did the XLoader creators really decide to sacrifice reliability for stealth?

We were very surprised when, during a series of launches of the malware in a sandbox, we did not see communication with the real C&C server at all!

The black-box analysis in this case only confused us. Therefore, let’s look into the malware code. The part of the code that deals with the list of 64 domains is stored encrypted. This part of the code is decrypted and executed only when injected into the “explorer.exe” process.

One of the encrypted functions is responsible for choosing 16 domains from the malware configuration. Please note that this function choses exactly 16 (not 15!) domains from the list of 64 domains.

Initializing a list of 16 decoy domains in XLoader malware

Figure 8 – Initializing a list of 16 decoy domains in XLoader malware.

Next, XLoader generates 2 different random numbers in the range between 0 and 15. One of them is used as a position for the fake C&C domain taken from the “main” URI, and the second one is for the position of the real C&C domain in the target list. For the real C&C domain, the hard-coded index 121 was used in the researched sample:

XLoader replaces two domains in the created list with another decoy and the real C&C server domain

Figure 9 – XLoader replaces two domains in the created list with another decoy and the real C&C server domain.

Before choosing the position for the real C&C server in the target list, the malware checks if the real C&C domain index is already present in the list. Finally, the position of the real C&C server in the target list is stored for further use:

XLoader stores the index of a real C&C server for further use as needed

Figure 10 – XLoader stores the index of a real C&C server for further use as needed.

Another encrypted function is responsible for the C&C communication.

The chosen domains from the list are sequentially passed to this function in an infinite loop. Every time the function is called, it checks if the selected domain is a real C&C domain. The first 6 attempts to connect to the real C&C server are skipped.

Timing evasion delays access to the real C&C server

Figure 11 – Timing evasion delays access to the real C&C server.

Thus, XLoader randomly choses 16 decoy domains, two of which are replaced with a fake C&C server address and a real C&C server address. The real C&C server is accessed after a long delay. As we used a short emulation timeout in our sandbox, we didn’t see connection attempts to the real C&C server.

Thus, the domain name selection scheme for C&C lookup is as follows:

Creating a list of domains for C&C communication in XLoader malware

Figure 12 – Creating a list of domains for C&C communication in XLoader malware.

Determining the C&C server address in XLoader network traffic

XLoader uses delays of 5 seconds between the connection attempts. Therefore, the first connection attempt to the real C&C server appears starting from 480 to 560 seconds after starting the malware.

Knowing that, we can easily determine the address of a C&C server for a sample by observing its network communication for at least 10 minutes.

13 – Determining the C&C server address in XLoader network traffic

Figure 13 – Determining the C&C server address in XLoader network traffic.

In the first step, we need to find the index of the skipped communication attempt. In the picture above, the index of the skipped request is 6. In the second step, we need to find the time when the communication to the C&C starts, and take the 6th request. This shows us the address of the XLoader C&C server.

Conclusion

We see that XLoader creators put a lot of time and effort into hiding their C&C infrastructure. From the timing evasion to masking real C&C servers, everything is dedicated to creating a maximum possible stealth level for the real C&C infrastructure.

Despite the fact that all XLoader servers are controlled centrally by a group of cybercriminals or even by an individual, the methods they use lead the command infrastructure to remain undetected for a very long time.

In addition, every Formbook and XLoader sample accesses 64 legitimate domains, and at first glance there is no way to distinguish malicious servers from legitimate. This may lead some security vendors to falsely identify such domains as malicious.

Check Point Protections

Check Point Provides Zero-Day Protection Across Its Network, Cloud, Users and Access Security Solutions, SandBlast provides the best zero-day protection while reducing security overhead.

SandBlast Network Protections:

         Trojan.WIN32.Formbook.A
         Trojan.WIN32.Formbook.B
         Trojan.WIN32.Formbook.C
         Trojan.WIN32.Formbook.D
         Trojan.WIN32.Formbook.E
         Trojan.WIN32.Formbook.F
         Trojan.WIN32.Formbook.G
         Trojan.WIN32.Formbook.H
         Trojan.WIN32.Formbook.I
         Trojan.WIN32.Formbook.J
         Trojan.WIN32.Formbook.K
         Trojan.WIN32.Formbook.L
         Trojan.WIN32.Formbook.M
         Trojan.WIN32.Formbook.N
         Trojan.WIN32.Formbook.O
         Trojan.WIN32.Formbook.P
         Trojan.WIN32.Formbook.Q
         Trojan.WIN32.Formbook.R 

Threat Emulation protections:

         Infostealer.Win32.Formbook.C
         Infostealer.Win32.Formbook.D
         Infostealer.Win32.Formbook.E
         Infostealer.Win32.Formbook.gl.F
         Infostealer.Win32.Formbook.TC
         Formbook.TC
         Infostealer.Win32.XLoader.TC
         XLoader.TC
         Trojan.Mac.XLoader.B 

Appendix: Indicators of Compromise

XLoader samples

XLoader version SHA256 C&C domain
2.3 431982fff08165e5c303898ca7b170df7bcd12445ebfffc625e4288d879b707c www.blaxies3[.]com
2.3 12203ad237f1b5ffb35167763bc8dd3a61f5456264113df9d2885f7955933525 www.bostonm[.]info
2.3 116327b1291841ae8677052cd4f7ff8fa93d579642d494db5866d8f8b5bc102d www.iregentos[.]info
2.1 db650e246a143c32ff6147725438ae27aa1c6edb79dace52ff07fc6da933336b www.solisdq[.]info

Formbook and XLoader C&C servers

Domain Registration date IP
www.cia3mega[.]info 2020-09-10 162.0.238.42
www.solisdq[.]info 2020-09-14 162.0.223.226
www.ppc-listing[.]info 2020-09-18 162.0.222.228
www.sencmil[.]info 2020-09-18 199.192.20.57
www.magentnew[.]com 2020-09-21 63.250.33.199
www.psm-gen[.]com 2020-09-21 199.192.24.139
www.necght[.]xyz 2020-09-28 162.0.221.213
www.haxings[.]online 2020-10-11 162.0.231.18
www.domvy[.]xyz 2020-10-14 162.0.219.60
www.octoberx2[.]online 2020-10-15 162.0.238.42
www.haxb33[.]xyz 2020-10-18 162.0.233.6
www.best4x[.]online 2020-10-18 198.187.30.137
www.stevebana[.]xyz 2020-10-26 198.187.30.150
www.magentos6[.]com 2020-11-03 162.0.216.198
www.surptalb[.]xyz 2020-11-03 162.0.238.241
www.forenvid[.]com 2020-11-19 63.250.44.230
www.novergi[.]com 2020-11-24 162.0.213.203
www.cookies-x[.]info 2020-11-25 162.0.213.60
www.jumben[.]xyz 2020-12-07 63.250.44.253
www.magenx2[.]info 2020-12-08 199.192.21.245
www.olenfex[.]com 2020-12-13 162.0.214.234
www.absasha[.]com 2020-12-14 199.192.21.245
www.iregentos[.]info 2020-12-18 63.250.34.223
www.freisaq[.]com 2021-01-05 63.250.34.114
www.bingent[.]info 2021-01-10 162.0.238.245
www.nehyam[.]com 2021-01-10 162.0.216.51
www.maglex[.]info 2021-01-12 162.0.214.58
www.searko[.]com 2021-01-12 199.192.24.12
www.racevx[.]xyz 2021-01-17 199.192.22.53
www.rangers3[.]xyz 2021-01-17 199.192.19.85
www.uyhams[.]com 2021-01-19 63.250.34.108
www.bostonm[.]info 2021-01-23 162.0.230.164
www.carbeloy[.]com 2021-01-24 199.188.203.26
www.chekax[.]com 2021-01-26 162.0.219.60
www.luisxe[.]info 2021-01-29 162.0.233.6
www.naigves[.]com 2021-01-31 63.250.41.119
www.cowbex[.]info 2021-02-02 162.0.230.164
www.bakldx[.]com 2021-02-02 162.213.250.218
www.azerni[.]com 2021-02-09 162.213.253.238
www.contex3[.]info 2021-02-11 162.0.214.58
www.yeasuc[.]com 2021-02-15 198.54.112.233
www.commagx4[.]info 2021-02-16 63.250.44.249
www.chaing-list[.]xyz 2021-02-17 63.250.44.253
www.shegimx[.]com 2021-02-21 199.192.27.115
www.curtex[.]info 2021-02-24 162.0.222.228
www.magen-tracks[.]xyz 2021-03-01 162.0.224.22
www.jumlasx[.]xyz 2021-03-01 66.29.135.47
www.midgex[.]info 2021-03-09 192.64.115.131
www.ruvapy[.]com 2021-03-14 199.192.28.238
www.magetu[.]info 2021-03-16 162.0.216.35
www.juxrams[.]info 2021-03-16 162.0.223.225
www.casnop[.]com 2021-03-18 162.0.216.51
www.mex33[.]info 2021-03-23 162.0.223.226
www.lownak[.]com 2021-03-23 192.64.115.15
www.contex33[.]xyz 2021-03-23 162.0.223.226
www.kuppers[.]info 2021-03-26 63.250.35.57
www.byonf[.]com 2021-03-30 162.0.213.148
www.curiget[.]xyz 2021-04-02 162.0.239.203
www.cinmax[.]xyz 2021-04-06 199.192.27.68
www.floryi[.]com 2021-04-11 162.0.211.27
www.senmec23[.]com 2021-04-13 66.29.131.244
www.nelivo[.]com 2021-04-20 66.29.133.79
www.contorig2[.]com 2021-04-21 199.192.23.253
www.cunerier[.]com 2021-04-27 162.0.219.212
www.jumtix[.]xyz 2021-04-27 162.0.216.198
www.chaytel[.]com 2021-04-27 162.0.219.214
www.bunies3[.]com 2021-05-02 162.0.214.62
www.solevux[.]com 2021-05-03 162.0.221.213
www.tomrings[.]com 2021-05-08 162.0.214.58
www.danfrem[.]com 2021-05-11 162.213.253.236
www.mimik33[.]info 2021-05-19 162.0.213.190
www.suxfi[.]com 2021-05-20 199.192.31.106
www.baincot[.]com 2021-05-24 66.29.131.110
www.nivxros[.]com 2021-05-26 66.29.135.231
www.blinbins[.]com 2021-05-30 63.250.35.46
www.resctub[.]com 2021-05-31 199.192.26.235
www.blaxies3[.]com 2021-06-04 162.0.224.22
www.jam-nins[.]com 2021-06-04 66.29.135.47
www.calsury[.]com 2021-06-05 162.0.233.137
www.bonap56[.]com 2021-06-08 192.64.116.169
www.smacey[.]com 2021-06-09 66.29.139.154
www.brateix[.]info 2021-06-14 199.192.17.149
www.ravexim3[.]com 2021-06-17 192.64.115.131