The XLoader, also known as Formbook, malware has now been equipped with new capabilities. Check Point security researchers have observed an enhanced version that has adopted a probability-based method to conceal its command-and-control servers. By implementing this approach, it is now “significantly harder to separate the wheat from the chaff and discover the real C&C servers among thousands of legitimate domains,” the researchers said.
XLoader Becoming Increasingly Stealthy by Using Probability Theory
XLoader and Formbook share the same structure and configuration. All XLoader samples have 64 domains and one URI, with earlier versions using a separately stored URI. “The 64 domains from the malware configuration are actually decoys, intended to distract the researchers’ attention,” the report said.
The communications with the command-and-control servers happen through the decoy domains and the real C2 server, including sending data stolen from the victim. This way it is possible that a backup C2 can be hidden in the decoy C2 domains, and be deployed as a fallback communication channel, in case the primary C2 domain is taken down.
It should be noted that the domain name of the real C2 server is hidden within a configuration that contains 64 decoy domains, 16 of which are chosen randomly, and 2 of those 16 are replaced with the fake C2 address and the real address, respectively. This probability theory approach helps XLoader maintain stealthiness to remain undetected.
“Even 9 minutes are enough to fool the emulators and prevent the detection of the real C&C server, based on the delays between accesses to the domains. At the same time, the regular knockback period maintained by the malware with the help of probability theory allows it to keep victims as botnet parts without sacrificing the functionality, Check Point concluded.
Formbook / XLoader in the Recent Past
The original idea of Formbook was for it to be a simple keylogger. However, customers noticed its potential as a universal tool which can be deployed in spam campaigns against organizations worldwide.
Shortly after its sudden disappearance, the malware resurfaced in a new shape. XLoader became available for sale in a specific underground forum. This is when the malware added macOS to its list of targeted systems.
The interest in the malware is quite astonishing. During the 6 months between December 1, 2020 and June 1, 2021, Check Point saw Formbook/XLoader requests from as many as 69 countries, or more than a third of the total 195 countries recognized in the world today.
In July 2021, XLoader was sold for as little as $49 on the dark web.