A new version of the XLoader botnet has been found using probability theory in obfuscating its command-and-control (C2) servers to become more resistant to being disrupted by security analysts. The method used by the botnet’s operators allows them to remain on the same infrastructure without losing nodes while also evading detection.
Being initially based on the FormBook trojan, XLoader is an infostealer malware that targets Windows and macOS. Security analysts first detected its widespread deployment in January of last year. Several researchers have sampled the most recent versions of the botnet, 2.5 and 2.6, and have identified some critical updates from its older versions.
From the analysis, the researchers have observed the botnet is already hiding its C2 servers even from version 2.3. The threat operators obfuscate the real domain name through some comprehensive configuration involving at least 63 domain decoys.
The latest versions of the XLoader botnet have overwritten eight domains out of an array of randomly picked domain decoys that employ new values in every communication attempt.
As the analysts explained, every time the real C2 server’s domain appears in the list’s second part, it will be accessed once per cycle for about 80 to 90 seconds. However, if it appears in the list’s first part, a random domain name will overwrite it to have it obfuscated.
At this point, the botnet operators have maximised the probability theory, especially in hiding their C2 servers by overwriting their domain names via the 63 domain decoys.
The eight domains overwriting the list’s first part are done through random selection, with the real C2 server’s domain being possibly one of them. The probability of the real C2 server being accessed by analysts in the next cycle is at a 7/64 chance, or 1/8, depending on the fake C2 server domain’s position in the list.
Threat operators utilising the probability theory method in hiding the real C2 server of the XLoader botnet have aided them in progressing their malicious operations while remaining undetected by security analysts.
This study has presented another case of threat operators exercising different methods to hide their malicious campaigns from being detected while also giving the researchers a prospect to study how to combat it.