XLoader Botnet: Find Me If You Can

May 31, 2022

Research by: Alexey Bukhteyev & Raman Ladutska

Introduction

In July 2021, CPR released a series of three publications covering different aspects of how the Formbook and XLoader malware families function. We described how XLoader emerged in the Darknet community to fill the empty niche after Formbook sales were abruptly stopped by its author. We did a deep technical analysis followed by a description of XLoader for macOS along with common points and differences in how both malware families conceal the heart of the whole operation, the Command-and-Control (C&C) infrastructure. However, the world does not stand still, and this applies to the malware cyber-world as well.

A couple of months after our publications were released, we spotted a new XLoader version in-the-wild which was an upgrade of all the ones we described previously.  The enhanced version features significant modifications in key parts of the malware logic to truly deserve the differentiation if compared with XLoader’s previous implementation.

In this article, we describe the changes malware authors applied to XLoader to obscure the C&C infrastructure – more than anything we saw before. Now it is significantly harder to separate the wheat from the chaff and discover the real C&C servers among thousands of legitimate domains used by Xloader as a smokescreen. We explain how we got to the essence and identified the real C&C nodes in the evolving botnet.

Deep technical dive

The Formbook malware has not been updated for quite a long time. The latest version of this stealer is 4.1, and we already observed samples of this version in far 2020. This gives us reason to believe that Formbook has been discontinued.

At the same time, XLoader, Formbook’s successor which we described last year, has already received 2 updates since our publication. In this article, we describe the most important changes that we found in XLoader version 2.5.

Camouflaging real C&C servers – methods used in 2021

All XLoader samples have 64 domains and one URI in their configurations. The XLoader configuration has the same structure as the Formbook configuration. In earlier versions Formbook used the URI stored separately in the configuration to access its C&C server. The 64 domains from the malware configuration are actually decoys, intended to distract the researchers’ attention.

In Formbook version 4.1, the malware developers added another level of stealth which also migrated to early versions of XLoader (up to 2.5). A domain name for the real C&C server was hidden among the 64 decoys, while the URI that was always thought to be an address of the C&C server became another decoy and could point to a legitimate website. The malware of versions mentioned above randomly choose 16 decoy domains, two of which are replaced with the fake C&C server address and a real C&C server address. The real C&C server is accessed after a long delay.

Figure 1 – Creating a list of domains for C&C communication in XLoader 2.3 and Formbook 4.1.

This already looks complicated. However, the newer version introduced an even more sophisticated algorithm.

New version – a new level of protection

The first samples of the new version of XLoader appeared in-the-wild a month after our publications in August 2021, Revealing the XLoader’s C&C infrastructure. At first glance, we didn’t see any difference because the configuration structure remained exactly the same.

However, when emulating samples in a sandbox, we noticed a change. With a long emulation time, the sample accessed more than 16 domains, unlike earlier versions. This behavior forced us to put aside automated analysis tools and arm ourselves with a disassembler. We soon discovered the part of the code responsible for the detected anomaly. As in the previous versions, XLoader first creates a list of 16 domains that are randomly selected from the 64 domains stored in the configuration. After each attempt to access the selected 16 domains, the following code is executed:

Figure 2 – XLoader 2.5 overwrites the first 8 domains before each communication cycle.

The purpose of this piece of code is to partially overwrite the list of accessed domains with new random values. Therefore, if XLoader runs long enough, it will access new randomly selected domains. It’s important to pay attention to the fact that only the first 8 values are overwritten, and the remaining 8 remain the same as those that were selected immediately after launch.

In addition, XLoader, as we thought, saves the index of its C&C server and does not allow it to be overwritten:

Figure 3 – XLoader doesn’t overwrite the C&C domain index.

However, while checking hosts that were supposed to be XLoader C&C servers, it turned out that many of them did not respond or else looked to be legitimate, such as this one:

Figure 4 – Fake C&C domain points to a likely legitimate site.

Also, most of them appear only once in various configurations, making them the underdogs in our preliminary bet for the real C&C candidates. From our previous research, we remembered that the number of real C&C servers was relatively small (we found less than 100 C&C servers among 90,000 domains used by the malware), and they were reused in many of the campaigns of different XLoader customers.

In this case, we also found many domains that appear multiple times in samples that belong to different campaigns. However, these domains belong to the list of decoys and do not stand out at first glance. Let’s look at the websites pointed to by some of these domains. The root page looks like a parked domain page of famous domain registrars and hosting service providers (usually Hostinger and Namecheap):

Figure 5 – Real C&C servers disguised as Hostinger and Namecheap parked domain pages.

However, if we check the source code of the page and compare it with the original page generated by the service provider, we see many differences:

Figure 6 – Differences in the fake (on the left side) and the real (on the right side) Namecheap parked domain page.

In the fake Hostinger page, we also see some visual differences:

Figure 7 – Visual differences in the fake (on the left side) and the real (on the right side) Hostinger parked domain page.

We then collected IP addresses of all presumably malicious hosts and root pages from the corresponding websites. It appeared that all the domains point to a few IP address ranges, all of which belong to Namecheap. Some domains point to the same IP addresses.

Domain IP Root Page MD5 hash Description
bubu3cin.com 162.0.214.189 ce866938b246a89fd98fc6a6f666d21c Fake Hostinger
highpacts.com 162.0.216.5 ce866938b246a89fd98fc6a6f666d21c Fake Hostinger
hype-clicks.com 162.0.223.146 f891f22cd94c80844fcfe6fddb4b7912 Fake Namecheap
moukse.com 162.0.223.146 f891f22cd94c80844fcfe6fddb4b7912 Fake Namecheap
besasin09.com 162.0.223.94 8d85df16ced80502c796649e4c806d31 Future home of…
brasbux.com 162.0.223.94 8d85df16ced80502c796649e4c806d31 Future home of…
finsits.com 162.0.225.82 ce866938b246a89fd98fc6a6f666d21c Fake Hostinger
arabatas.com 162.0.225.82 ce866938b246a89fd98fc6a6f666d21c Fake Hostinger
ocvcoins.com 162.0.238.238 ce866938b246a89fd98fc6a6f666d21c Fake Hostinger
gingure.com 162.0.238.238 ce866938b246a89fd98fc6a6f666d21c Fake Hostinger
coalmanses.com 162.213.253.206 ce866938b246a89fd98fc6a6f666d21c Fake Hostinger
fendoremi.com 162.213.253.206 ce866938b246a89fd98fc6a6f666d21c Fake Hostinger
noun-bug.com 199.188.206.146 f891f22cd94c80844fcfe6fddb4b7912 Fake Namecheap
cobere9.com 199.188.206.146 f891f22cd94c80844fcfe6fddb4b7912 Fake Namecheap
     

Table 1 – XLoader domains and IP addresses to which they point.

All the websites display pages that appear to be “under construction”, primarily the fake Namecheap or Hostinger parked domain page, even though all the IP addresses belong to Namecheap.

It looks like we found the C&C servers, but is it possible to distinguish them in the list of 64 decoy domains in the malware configuration?

Let’s now look at the function that fills the initial list of 16 domains in XLoader 2.5 and compare it with the function from XLoader 2.3:

Figure 8 – XLoader 2.5 replaces three domains in the created list with 2 decoys and the real C&C server domain.

As we can see, XLoader 2.5 introduced an additional code that replaces one more domain in the list with a fixed value. Interestingly, this value doesn’t appear anywhere else in the code and is not saved; its position in the list of 16 domains is chosen randomly.

As the first 8 domains are overwritten with new values after the first hit, there is a 50% chance that this domain will be overwritten. However, we think that this is the domain which points to the real C&C server.

The domain selection scheme is as follows:

Figure 9 – Creating a list of domains for C&C communication in XLoader 2.5.

If the real C&C domain appears in the second part of the list, it is accessed in every cycle once in approximately 80-90 seconds. If it appears in the first part of the list, it will be overwritten by another random domain name.

However, there is still a probability that this domain will appear in the list again. This is possible because the 8 domains that overwrite the first part of the list are chosen randomly, and the real C&C domain might be one of them. In this case, the probability that a real C&C server will be accessed in the next cycle is 7/64 or 1/8 depending on the position of the “fake c2 (2)” domain (see Figure 9 above).

The malware authors once again proved their high technical skills and out-of-the-box approach. By implementing the Law of Large Numbers in the malware, they achieved two goals: not only did they disguise the real C&C servers in common sandbox emulations (which are usually short), but also kept up the effectiveness of the malware.

In the table below we provide the probabilities of the real C&C server not being accessed again within a given time-frame. We take into consideration the lowest possible probability for the server to appear in any given cycle, which is 7/64, as well as the longest possible pause between two cycles, which is 90 seconds.

Time passed Probability of the real C&C server being not accessed Notes
9 minutes 50% Like a coin toss
15 minutes 31% Less than 1 in 3
18 minutes 25% 1 in 4
30 minutes 10% 1 in 10
1 hour 1% 1 in 100
2 hours 0.09% Less than 1 in 10,000
2.5 hours 0.0009% Less than 1 in 1,000,000

We see from the table that out of one million launches, only in one case the malware might not access the real C&C server in a period of 2.5 hours. In reality, the probability of such an event is even lower as a cycle time period can vary between 80 and 90 seconds, and the probability of the real C&C server to show up in a cycle may be higher and equal to 1/8.

Even 9 minutes are enough to fool the emulators and prevent the detection of the real C&C server, based on the delays between accesses to the domains. At the same time, the regular knockback period maintained by the malware with the help of probability theory allows it to keep victims as botnet parts without sacrificing the functionality.

XLoader 2.6

On May 5, 2022, we spotted a new version of XLoader malware in-the-wild. The main update in XLoader v2.6 concerns the network communication. The random index of the real C&C server is now saved in the malware state structure:

Figure 10 – XLoader 2.6 generates and stores the index of a real C&C server.

During each communication cycle, when the malware overwrites the first 8 entries in the list of accessed domains, it keeps the values for the real and the fake C&C domains:

Figure 11 – XLoader 2.6 doesn’t overwrite the fake and the C&C domain indices.

Therefore, the real C&C server is now accessed in every communication cycle, or once in approximately 80-90 seconds.

However, this logic is activated only when the malware runs in an x64 system. When it runs in an x86 system, the variable real_c2_index stores the same value as is stored in the fake_c2_index. This results in the real C&C server being accessed with the same probability as any of the 63 decoys while running in x86 system. This looks like an evasion technique, as currently a lot of sandboxes still use x86 virtual machines.

Conclusion

To stay in business, malware actors have to stay in the forefront of progress and invent new tricks to prolong the lives of their creations as long as possible. In the case of XLoader malware, we see a vivid example of such a process.

In July 2021, we described the method of uncovering real C&C servers among the thousands of legitimate servers abused by XLoader v.2.3. The upgraded XLoader v.2.5 introduced significant changes in this algorithm using the power of the Law of Big Numbers from probability theory. These modifications achieve two goals at once: each node in the botnet maintains a steady knockback rate while fooling automated scripts and preventing the discovery of the real C&C servers. The latter indeed became more difficult, but not impossible.

In this article we described all the steps you need to take, and all the details you need to pay attention to in order to identify the real C&C domain among the 65 encountered in every XLoader sample. We analyzed more than 100,000 domains to discover a tiny percentage of actual C&C servers in the multitude of abused domains – only 120 of the real servers, which is about 0.12% of the total number.

We continue to stay vigilant for any upcoming changes that might be implemented by future versions, not only in XLoader but in other malware families as well.

Check Point Protections

Check Point Provides Zero-Day Protection across Its Network, Cloud, Users and Access Security Solutions. Whether you’re in the cloud, the data center, or both, Check Point’s Network Security solutions simplify your security without impacting network performance, provide a unified approach for streamlined operations, and enable you to scale for continued business growth. Quantum provides the best zero-day protection while reducing security overhead. 

SandBlast Network Protections:

         Trojan.WIN32.Formbook.A
         Trojan.WIN32.Formbook.B
         Trojan.WIN32.Formbook.C
         Trojan.WIN32.Formbook.D
         Trojan.WIN32.Formbook.E
         Trojan.WIN32.Formbook.F
         Trojan.WIN32.Formbook.G
         Trojan.WIN32.Formbook.H
         Trojan.WIN32.Formbook.I
         Trojan.WIN32.Formbook.J
         Trojan.WIN32.Formbook.K
         Trojan.WIN32.Formbook.L
         Trojan.WIN32.Formbook.M
         Trojan.WIN32.Formbook.N
         Trojan.WIN32.Formbook.O
         Trojan.WIN32.Formbook.P
         Trojan.WIN32.Formbook.Q
         Trojan.WIN32.Formbook.R 

Threat Emulation protections:

         Infostealer.Win32.Formbook.C
         Infostealer.Win32.Formbook.D
         Infostealer.Win32.Formbook.E
         Infostealer.Win32.Formbook.gl.F
         Infostealer.Win32.Formbook.TC
         Formbook.TC
         Infostealer.Win32.XLoader.TC
         XLoader.TC
         Trojan.Mac.XLoader.B 

Appendix: Indicators of Compromise

XLoader samples

SHA256 Version C&C domain
c3bf0677dfcb32b35defb6650e1f81ccfa2080e934af6ef926fd378091a25fdb 2.6 travelsagas.com
77ed8c0589576ecaf87167bc9e178b15da57f7b341ea2fda624ecc5874b1464b 2.6 click-tokens.com
041992cc47137cb45d4e93658be392bb82cdc7ec53f959c6af4761d41dfc9160 2.6 motarasag.com
e704bc09c7da872b5d430d641e9bd7c8c396cf79ea382870e138f88d166df4a8 2.6 tumpiums.com
a7023d5b16691b20334955294a80c10d435e24048f6416d1b3af3c58d0b48954 2.5 sasanos.com
862fba20ce7613356018ca44f665819522f862f040b34410a58892229aba6d9c 2.5 binbin-ads.com
d56e8522cf147e2b964a5a03e51a17d24d4cb3a4a20f36ef3fd3caeda0b105f3 2.5 range4tis.com
59048fa3b523121866f79a8a2f7a3c9c7cf609a98be5a1ec296030de2353d559 2.5 cablinqee.com

XLoader C&C servers

Domain IP
besasin09.com 162.0.223.94
brasbux.com 162.0.223.94
munixc.info 162.0.223.94
ceser33.com 162.0.223.94
ducer.info 199.192.23.209
amenosu.com 199.192.23.209
sanfireman.info 199.192.23.209
trc-clicks.com 199.192.25.68
bantasis.com 199.192.25.68
brass-tip.info 199.192.25.68
neurosise.com 199.192.30.112
finsith.com 199.192.30.112
gate334.com 199.192.30.112
seo-clicks6.com 199.192.30.247
tangodo9.info 199.192.31.5
nu865ci.com 199.192.31.5
rapibest.com 199.192.31.5
recbi56ni.com 199.192.31.5
heinousas.com 66.29.143.39
pordges.com 66.29.143.39
serenistin.com 66.29.143.39
aminsfy.com 66.29.155.250
dempius.com 66.29.155.250
buge-link.com 66.29.155.250
norllix.com 66.29.155.250
sacremots.com 66.29.155.250
beputis4.com 68.65.121.46
bubu3cin.com 162.0.214.189
highpacts.com 162.0.216.5
finsits.com 162.0.225.82
arabatas.com 162.0.225.82
cutos2.com 162.0.225.82
nropes.com 162.0.233.84
gogoma3.com 162.0.233.84
fraiuhs.com 162.0.233.84
busipe6.com 162.0.238.116
bupis44.info 162.0.238.116
gesips.com 162.0.238.116
ocvcoins.com 162.0.238.238
gingure.com 162.0.238.238
nifaji.com 162.0.238.238
coalmanses.com 162.213.253.206
fendoremi.com 162.213.253.206
cusio3c.com 162.213.253.206
nutri6si.com 162.213.253.206
breskizci.com 192.64.116.180
high-clicks.com 192.64.116.180
gunnipes.com 199.192.23.164
dugerits.com 199.192.23.164
keepitng.com 199.192.23.164
fellasies.com 199.192.28.149
butuns.com 199.192.28.149
bendisle.com 66.29.155.108
ci-ohio.com 66.29.155.108
minimi36.com 66.29.155.108
pedorc.com 68.65.121.125
cures8t.com 68.65.121.125
mecitiris.com 162.0.222.70
high-clicks2.com 162.0.224.219
nerosbin.info 162.0.231.105
b8ceex.com 162.0.231.105
dashmints.com 162.0.231.244
rap8b55d.com 198.54.112.103
rastipponmkh.com 199.192.17.24
blendeqes.com 199.192.17.24
private-clicks.com 199.192.26.170
abros88.com 199.192.30.127
bracunis.com 199.192.30.127
hugefries3.com 199.192.30.127
saint444.com 63.250.44.164
bra866.com 66.29.130.171
hype-clicks.com 162.0.223.146
moukse.com 162.0.223.146
ammarus.com 162.0.223.146
cablinqee.com 162.0.223.146
funtabse.com 162.0.223.146
gulebic.com 162.0.223.146
catdanos.com 199.188.206.146
noun-bug.com 199.188.206.146
cobere9.com 199.188.206.146
ranbix.com 199.188.206.146
tes5ci.com 199.188.206.146
blackbait6.com 199.188.206.146
mimihin.com 199.192.18.217
cesiesis.com 199.192.18.217
moreosin.com 199.192.18.217
side-clicks.com 199.192.29.43
davinci65.info 199.192.29.43
plick-click.com 199.192.29.43
redandseven.com 199.192.29.61
berdisen.com 199.192.29.61
arches2.com 199.192.29.61
price-hype.com 199.192.30.202
becbares.com 199.192.30.202
budistx.com 199.192.30.202
dain6544.com 199.192.30.202
erisibu85.com 199.192.30.202
piecebin.com 66.29.133.181
probinns.com 66.29.133.181
bumabagi.com 66.29.133.181
hughers3.com 66.29.133.181
n4sins.com 66.29.133.181
busy-clicks.com 66.29.140.185
minismi2.com 66.29.140.185
wecuxs.com 66.29.140.185
lopsrental.lease 66.29.140.185
alpeshpate.com 66.29.142.52
motometics.com 66.29.142.52
cinasing.com 66.29.142.52
gamusemenu.com 66.29.142.52
kraines3.com 66.29.142.52
ban-click.com 66.29.145.216
butsins.com 66.29.145.216
earches3.com 66.29.145.216
jervinse.com 66.29.154.112
gimbases.com 66.29.154.112
motarase.com 66.29.154.112
cusmose.com 66.29.154.157
becu84ts.com 66.29.154.157
buresdx.com 66.29.154.157
travelsagas.com 162.0.216.71
click-tokens.com 66.29.142.85
motarasag.com 162.0.233.154
tumpiums.com 66.29.155.51
sasanos.com 45.132.241.87
binbin-ads.com 31.220.18.33
range4tis.com 45.15.25.154