XLoader Infostealer: Now with Added Math
The authors of XLoader Infostealer, which has versions for both Windows and macOS, have historically taken steps to make it difficult for law enforcement to identify the authors and operators of the threat.
XLoader is offered for sale via the familiar MaaS (Malware as a Service) model that we have covered in previous threat reports.
Samples of XLoader malware were tested against BluVector’s patented Machine Learning Engine (MLE) and all were detected. Regression testing of these samples show that BluVector would have detected the infostealer an average of 97 months prior to their release.
What Is XLoader?
Researchers from Checkpoint have detailed their analysis of recent Windows variants of the XLoader infostealer. The malware is interesting because of the complicated means by which the authors attempt to obfuscate the true address of their C2 (Command and Control) server. The authors are making use of probability theory, specifically the law of large numbers, in an apparent attempt to make their actual C2 server as difficult for threat hunters and defenders to find as (described by that well known idiom) a needle in a haystack.
XLoader is an infostealer, which has versions for both Windows and macOS, and was first noticed in early 2021. It is actually a successor to an earlier infostealer, Formbook, which was first offered for sale on dark web forums in the early part of 2016. XLoader is offered for sale via the familiar MaaS (Malware as a Service) model, though the purchased malware can only be used for relatively short periods of time, up to 3 months. It offers all the functionality expected of an infostealer, such as keystroke logging, password extraction from various applications, copying the clipboard, taking screenshots, and downloading and executing other code. As with previous XLoader variants, these recent samples employ a variety of anti-analysis techniques, applying to both behavioral analysis and code based reverse engineering.
Analysis of previous XLoader variants by researchers have shown the authors have always been mindful of making it difficult for defenders, and law enforcement, to determine the actual C2 servers in use. In XLoader variants from mid-2021, only one of the 64 domains found in each sample was a valid C2 server . The author’s motivation is twofold, first by making it difficult to discern the actual C2 servers. This means that at the very least, these servers will remain available for longer, before they are identified and shut down – potentially disrupting malicious operations. Secondly, they hope it will make it more difficult for law enforcement to gain evidence that may enable them to identify the authors and operators of XLoader.
However, in the recent XLoader variants, the authors have improved C2 obfuscation. When the XLoader malware makes its initial attempt to contact its C2 site, it creates a list of 16 domains, randomly selected from the 64 stored in the sample. Before each subsequent C2 contact attempt, which occurs every 80-90 seconds, it overwrites the first 8 in the list with other randomly selected domains. Three of the domains at random locations in the list are also replaced by two decoy C2 domains and the real C2 domain. This is where probability theory comes into play. The law of large numbers states that if an experiment is performed a large number of times, the probability of a specific outcome increases. The researchers have done the math for us, and there is a 50% chance of the true C2 server being accessed in a 9-minute period, and a 99% chance it will be accessed within an hour. Both of these timeframes would likely be sufficient to ensure communication with the true C2 server was not recorded by automated sandboxes, often used by both defenders and signature based anti-virus vendors to detonate samples.
Once again, Xloader’s authors have shown a willingness to spend the time and effort, in order to make both their code and their C2 infrastructure difficult to analyze. These techniques are also largely aimed at endpoint detection technologies and are basically irrelevant to network-based detection efficacy.
How Does It Propagate?
The malware does not contain the necessary code to self-propagate. XLoader campaigns frequently use phishing and spear phishing emails, containing malicious attachments as their attack vector.
When/How Did BluVector Detect It?
A total of 8 samples of XLoader malware were tested against BluVector’s patented Machine Learning Engine (MLE) and all were detected. Regression testing of these samples shows that BluVector would have detected them on average 97 months prior to their release.