Security News > 2022 > May > New XLoader botnet uses probability theory to hide its servers
Threat analysts have spotted a new version of the XLoader botnet malware that uses probability theory to hide its command and control servers, making it difficult to disrupt the malware's operation.
XLoader already camouflaged its actual command and control servers in version 2.3 by hiding the real domain name in a configuration that includes 63 decoys.
In the most recent versions Check Point's analysts noticed that the malware overwrites 8 out of a list of randomly chosen domains from the 64 in its configuration list with new values in every communication attempt.
"The eight domains that overwrite the first part of the list are chosen randomly, and the real C&C domain might be one of them. In this case, the probability that a real C&C server will be accessed in the next cycle is 7/64 or 1/8 depending on the position of the"fake c2" domain.
In version 2.6, CheckPoint noticed that XLoader removed this functionality from the 64-bit version of the payload, where the malware contacts the real C2 domain every time.
In 32-bit systems, which are very common in virtual machine-hosted sandboxes used by threat analysts, XLoader maintains the new C2 obfuscation.