An enhanced version of XLoader malware that takes a probability-based approach to camouflage its command and control (C&C) infrastructure has been detected, according to the latest security research.
According to the Israeli cybersecurity team Check Point, it is now considerably more difficult to separate the wheat from the chaff and discover the real C&C servers among thousands of legitimate domains used as smokescreens by Xloader.
First seen in the wild in October 2020, XLoader is a successor to Formbook and a cross-platform data stealer capable of stealing web browser credentials, capturing keystrokes and screenshots, and executing arbitrary commands and payloads.
More recently, the ongoing geopolitical conflict between Russia and Ukraine has proven to be lucrative fodder for distributing Xloader via phishing emails targeting high-ranking officials in Ukraine.
What has changed in newer versions of XLoader is that after the selection of 16 decoy domains from the configuration, the first eight domains of each communication cycle are overwritten with new random values, while steps are taken to skip the decoy domain. making it more stealthy.
As we can see, the malware authors resorted to the principles of probability theory to access the legitimate server, which demonstrates once again how threat actors constantly fine-tune their tactics in order to steal our information, it is for this and much more. that we must be prepared for all kinds of threats that we may face.
