In July 2021, CPR released a series of three publications covering different aspects of how the Formbook and XLoader malware families function. We described how XLoader emerged in the Darknet community to fill the empty niche after Formbook sales were abruptly stopped by its author. We did a deep technical analysis followed by a description of XLoader for macOS along with common points and differences in how both malware families conceal the heart of the whole operation, the Command-and-Control (C&C) infrastructure. However, the world does not stand still, and this applies to the malware cyber-world as well.
A couple of months after our publications were released, we spotted a new XLoader version in-the-wild which was an upgrade of all the ones we described previously. The enhanced version features significant modifications in key parts of the malware logic to truly deserve the differentiation if compared with XLoader’s previous implementation.
In this article, we describe the changes malware authors applied to XLoader to obscure the C&C infrastructure – more than anything we saw before. Now it is significantly harder to separate the wheat from the chaff and discover the real C&C servers among thousands of legitimate domains used by Xloader as a smokescreen. We explain how we got to the essence and identified the real C&C nodes in the evolving botnet.
Deep technical dive
The Formbook malware has not been updated for quite a long time. The latest version of this stealer is 4.1, and we already observed samples of this version in far 2020. This gives us reason to believe that Formbook has been discontinued.
At the same time, XLoader, Formbook’s successor which we described last year, has already received 2 updates since our publication. In this article, we describe the most important changes that we found in XLoader version 2.5.
Camouflaging real C&C servers – methods used in 2021
All XLoader samples have 64 domains and one URI in their configurations. The XLoader configuration has the same structure as the Formbook configuration. In earlier versions Formbook used the URI stored separately in the configuration to access its C&C server. The 64 domains from the malware configuration are actually decoys, intended to distract the researchers’ attention.
In Formbook version 4.1, the malware developers added another level of stealth which also migrated to early versions of XLoader (up to 2.5). A domain name for the real C&C server was hidden among the 64 decoys, while the URI that was always thought to be an address of the C&C server became another decoy and could point to a legitimate website. The malware of versions mentioned above randomly choose 16 decoy domains, two of which are replaced with the fake C&C server address and a real C&C server address. The real C&C server is accessed after a long delay.
Figure 1 – Creating a list of domains for C&C communication in XLoader 2.3 and Formbook 4.1.
This already looks complicated. However, the newer version introduced an even more sophisticated algorithm.
New version – a new level of protection
The first samples of the new version of XLoader appeared in-the-wild a month after our publications in August 2021, Revealing the XLoader’s C&C infrastructure. At first glance, we didn’t see any difference because the configuration structure remained exactly the same.
However, when emulating samples in a sandbox, we noticed a change. With a long emulation time, the sample accessed more than 16 domains, unlike earlier versions. This behavior forced us to put aside automated analysis tools and arm ourselves with a disassembler. We soon discovered the part of the code responsible for the detected anomaly. As in the previous versions, XLoader first creates a list of 16 domains that are randomly selected from the 64 domains stored in the configuration. After each attempt to access the selected 16 domains, the following code is executed:
Figure 2 – XLoader 2.5 overwrites the first 8 domains before each communication cycle.
The purpose of this piece of code is to partially overwrite the list of accessed domains with new random values. Therefore, if XLoader runs long enough, it will access new randomly selected domains. It’s important to pay attention to the fact that only the first 8 values are overwritten, and the remaining 8 remain the same as those that were selected immediately after launch.
In addition, XLoader, as we thought, saves the index of its C&C server and does not allow it to be overwritten:
Figure 3 – XLoader doesn’t overwrite the C&C domain index.
However, while checking hosts that were supposed to be XLoader C&C servers, it turned out that many of them did not respond or else looked to be legitimate, such as this one:
Figure 4 – Fake C&C domain points to a likely legitimate site.
Also, most of them appear only once in various configurations, making them the underdogs in our preliminary bet for the real C&C candidates. From our previous research, we remembered that the number of real C&C servers was relatively small (we found less than 100 C&C servers among 90,000 domains used by the malware), and they were reused in many of the campaigns of different XLoader customers.
In this case, we also found many domains that appear multiple times in samples that belong to different campaigns. However, these domains belong to the list of decoys and do not stand out at first glance. Let’s look at the websites pointed to by some of these domains. The root page looks like a parked domain page of famous domain registrars and hosting service providers (usually Hostinger and Namecheap):
Figure 5 – Real C&C servers disguised as Hostinger and Namecheap parked domain pages.
However, if we check the source code of the page and compare it with the original page generated by the service provider, we see many differences:
Figure 6 – Differences in the fake (on the left side) and the real (on the right side) Namecheap parked domain page.
In the fake Hostinger page, we also see some visual differences:
Figure 7 – Visual differences in the fake (on the left side) and the real (on the right side) Hostinger parked domain page.
We then collected IP addresses of all presumably malicious hosts and root pages from the corresponding websites. It appeared that all the domains point to a few IP address ranges, all of which belong to Namecheap. Some domains point to the same IP addresses.
Root Page MD5 hash
Future home of…
Future home of…
Table 1 – XLoader domains and IP addresses to which they point.
All the websites display pages that appear to be “under construction”, primarily the fake Namecheap or Hostinger parked domain page, even though all the IP addresses belong to Namecheap.
It looks like we found the C&C servers, but is it possible to distinguish them in the list of 64 decoy domains in the malware configuration?
Let’s now look at the function that fills the initial list of 16 domains in XLoader 2.5 and compare it with the function from XLoader 2.3:
Figure 8 – XLoader 2.5 replaces three domains in the created list with 2 decoys and the real C&C server domain.
As we can see, XLoader 2.5 introduced an additional code that replaces one more domain in the list with a fixed value. Interestingly, this value doesn’t appear anywhere else in the code and is not saved; its position in the list of 16 domains is chosen randomly.
As the first 8 domains are overwritten with new values after the first hit, there is a 50% chance that this domain will be overwritten. However, we think that this is the domain which points to the real C&C server.
The domain selection scheme is as follows:
Figure 9 – Creating a list of domains for C&C communication in XLoader 2.5.
If the real C&C domain appears in the second part of the list, it is accessed in every cycle once in approximately 80-90 seconds. If it appears in the first part of the list, it will be overwritten by another random domain name.
However, there is still a probability that this domain will appear in the list again. This is possible because the 8 domains that overwrite the first part of the list are chosen randomly, and the real C&C domain might be one of them. In this case, the probability that a real C&C server will be accessed in the next cycle is 7/64 or 1/8 depending on the position of the “fake c2 (2)” domain (see Figure 9 above).
The malware authors once again proved their high technical skills and out-of-the-box approach. By implementing the Law of Large Numbers in the malware, they achieved two goals: not only did they disguise the real C&C servers in common sandbox emulations (which are usually short), but also kept up the effectiveness of the malware.
In the table below we provide the probabilities of the real C&C server not being accessed again within a given time-frame. We take into consideration the lowest possible probability for the server to appear in any given cycle, which is 7/64, as well as the longest possible pause between two cycles, which is 90 seconds.
Probability of the real C&C server being not accessed
Like a coin toss
Less than 1 in 3
1 in 4
1 in 10
1 in 100
Less than 1 in 10,000
Less than 1 in 1,000,000
We see from the table that out of one million launches, only in one case the malware might not access the real C&C server in a period of 2.5 hours. In reality, the probability of such an event is even lower as a cycle time period can vary between 80 and 90 seconds, and the probability of the real C&C server to show up in a cycle may be higher and equal to 1/8.
Even 9 minutes are enough to fool the emulators and prevent the detection of the real C&C server, based on the delays between accesses to the domains. At the same time, the regular knockback period maintained by the malware with the help of probability theory allows it to keep victims as botnet parts without sacrificing the functionality.
On May 5, 2022, we spotted a new version of XLoader malware in-the-wild. The main update in XLoader v2.6 concerns the network communication. The random index of the real C&C server is now saved in the malware state structure:
Figure 10 – XLoader 2.6 generates and stores the index of a real C&C server.
During each communication cycle, when the malware overwrites the first 8 entries in the list of accessed domains, it keeps the values for the real and the fake C&C domains:
Figure 11 – XLoader 2.6 doesn’t overwrite the fake and the C&C domain indices.
Therefore, the real C&C server is now accessed in every communication cycle, or once in approximately 80-90 seconds.
However, this logic is activated only when the malware runs in an x64 system. When it runs in an x86 system, the variable real_c2_index stores the same value as is stored in the fake_c2_index. This results in the real C&C server being accessed with the same probability as any of the 63 decoys while running in x86 system. This looks like an evasion technique, as currently a lot of sandboxes still use x86 virtual machines.
To stay in business, malware actors have to stay in the forefront of progress and invent new tricks to prolong the lives of their creations as long as possible. In the case of XLoader malware, we see a vivid example of such a process.
In July 2021, we described the method of uncovering real C&C servers among the thousands of legitimate servers abused by XLoader v.2.3. The upgraded XLoader v.2.5 introduced significant changes in this algorithm using the power of the Law of Big Numbers from probability theory. These modifications achieve two goals at once: each node in the botnet maintains a steady knockback rate while fooling automated scripts and preventing the discovery of the real C&C servers. The latter indeed became more difficult, but not impossible.
In this article we described all the steps you need to take, and all the details you need to pay attention to in order to identify the real C&C domain among the 65 encountered in every XLoader sample. We analyzed more than 100,000 domains to discover a tiny percentage of actual C&C servers in the multitude of abused domains – only 120 of the real servers, which is about 0.12% of the total number.
We continue to stay vigilant for any upcoming changes that might be implemented by future versions, not only in XLoader but in other malware families as well.
Check Point Protections
Check Point Provides Zero-Day Protection across Its Network, Cloud, Users and Access Security Solutions. Whether you’re in the cloud, the data center, or both, Check Point’s Network Security solutions simplify your security without impacting network performance, provide a unified approach for streamlined operations, and enable you to scale for continued business growth. Quantum provides the best zero-day protection while reducing security overhead.