Layers of Deception: Analyzing the Complex Stages of XLoader Malware Evolution

XLoader, an advanced evolution of the FormBook malware, stands out as a highly sophisticated cyber threat renowned for its dual functionality as an information stealer and a versatile downloader for malicious payloads. Noteworthy for its resilient nature, xLoader constantly adapts to the latest and most intricate evasion techniques, making it a formidable challenge for cybersecurity defenses. Its notoriety is heightened by its role as a commercial Malware-as-a-service solution, enabling cybercriminals to tailor and deploy the malware for diverse malicious activities. The malware’s continuous evolution and ability to elude detection emphasize the critical need for robust cybersecurity measures to counter its intricate and multifaceted attacks, which target both individuals and organizations alike.

Key Findings:

1. Initial Dropper: Xloader uses a similar initial dropper as some of the other infostealers like Remcos RAT and Agent Tesla. The initial dropper is a dotnet executable file, which contains multiple embedded DLLs which are extracted and decrypted at run-time to launch the payload which is the actual malware. The payload is launched using Process Hollowing in either itself or another
   running process, depending upon the configuration of the initial dropper.
2. Native Assembly Paylaod: Xloader is written in native low level asm/c language. There are no strings, imports and libraries found in this payload. Native assembly with the combination of c language already makes it much harder to analyze and detect than other infostealers like Remcos, Agent Tesla, NanoCore etc.
3. Anti-Analysis/VM Techniques: It uses advance techniques that detects if the malware is running in an analysis environment. The usage of advanced techniques makes sure that, anti-vm checks are not easily bypassed as simply as patching a jump condition or return condition.
4. Custom Encryption Algorithms: It uses a Custom RC4 encryption/decryption algorithm with additional subtraction operations.
5. API/String/Libraries Hashing: Xloader uses CRC32/BZIP2 hashing algorithm for its strings, libraries and APIs to hide its internal working.
6. Encrypted Core Functions: Xloader’s core malicious functions are all encrypted that are decrypted at-run time and assembly is renewed or regenerated after all anti-vm checks have been bypassed and a key has been generated.
7. Unhooked Clean Ntdll: It uses a clean copy of ntdll manually mapped into its memory which bypass all hooks for ntdll APIs. It uses Native APIs for its malicious activities which are hidden from EDR solutions.
8. Persistence: Xloader adds persistence using Run Registry Keys and copying itself in Program Files (x86).
9. Privilege Escalation: It escalates privileges only for copying itself in the Program Files (x86) and adding persistence. The privilege escalation is achieved by abusing DllHost.exe and COM objects.
10. Process Injection: Xloader relies heavily on process injection. It infects multiple processes in its execution and even migrate to a different process.
11. Decoy C2s: It uses a combination of decoy C2 servers and made significant effort to hide its real C2.
12. Form Grabber: Xloader is not just an infostealer. It also works as a form grabber. Inline hooks are injected into multiple victim processes to grab information before encryption is performed.

Views: 0