Security News > 2022 > June > New XLoader Botnet Version Using Probability Theory to Hide its C&C Servers

"Now it is significantly harder to separate the wheat from the chaff and discover the real C&C servers among thousands of legitimate domains used by Xloader as a smokescreen," Israeli cybersecurity company Check Point said.

The latest findings from Check Point build on a previous report from Zscaler in January 2022, which revealed the inner workings of the malware's C&C network encryption and communication protocol, noting its use of decoy servers to conceal the legitimate server and evade malware analysis systems.

The stealthiness comes from the fact the domain name for the real C&C server is hidden alongside a configuration containing 64 decoy domains, from which 16 domains are randomly picked, followed by replacing two of those 16 with the fake C&C address and the authentic address.

What's changed in the newer versions of XLoader is that after the selection of 16 decoy domains from the configuration, the first eight domains are overwritten with new random values before each communication cycle while taking steps to skip the real domain.

XLoader 2.5 replaces three of the domains in the created list with two decoy server addresses and the real C&C server domain.

The ultimate goal is to prevent the detection of the real C&C server, based on the delays between accesses to the domains.

News URL

https://thehackernews.com/2022/06/new-xloader-botnet-version-using.html