Threat Research

XRed Backdoor: The Hidden Threat in Trojanized Programs

Esentire

eSentire’s TRU discovered a trojanized “Windows InstantView.exe” installer that drops an embedded XRed backdoor as Synaptics.exe (MD5: 54efba3a1e800e0a0cccddc7950476c646935d28) and uses a legitimate InstantView executable as a decoy. The backdoor provides C2 capabilities (remote commands, SMTP-based data exfiltration, keylogging), USB autorun propagation, and macro-based spreading via infected XLSM files. #XRed #WindowsInstantView

Keypoints

  • eSentire identified a trojanized Windows InstantView.exe that drops Synaptics.exe (XRed backdoor) and launches a legitimate InstantView as a decoy.
  • XRed (active since at least 2019) establishes persistence via a Registry Run key and hides its payload in C:ProgramDataSynaptics.
  • The backdoor can download additional payloads from hardcoded URLs, execute remote commands, capture screenshots, list files/disks, and provide a remote command shell.
  • XRed implements keylogging via keyboard hooks and exfiltrates system info (MAC, username, hostname) to attacker-controlled SMTP addresses.
  • It propagates via USB by creating autorun.inf entries and spreads through Office by injecting a password-protected VBA macro into XLSM files that disables macro warnings and drops the payload into document folders.
  • The trojanized InstantView binary is unsigned (legitimate Silicon Motion binary is signed), facilitating supply-chain style deception.
  • Indicators include specific file hashes, filenames, registry run key paths, hidden directories, and autorun content useful for detection and remediation.

MITRE Techniques

  • [T1195] Supply Chain Compromise – Trojanized legitimate software (Windows InstantView.exe) used to deliver the backdoor (‘The trojanized “Windows InstantView.exe” is not signed and has “Synaptics Pointing Device Driver” for Product and Description names’).
  • [T1204] User Execution – Execution requires running the trojanized installer which then downloads and launches the legitimate decoy (‘Upon executing the trojanized binary, it downloads the legitimate copy of InstantView.exe from siliconmotion[.]com and launches it as a decoy’).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys – Persistence via HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value ‘Synaptics Pointing Device Driver’ pointing to C:ProgramDataSynapticsSynaptics.exe (‘persistence is achieved via the Registry Run Key (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun) with the value name “Synaptics Pointing Device Driver”’).
  • [T1105] Ingress Tool Transfer – Backdoor contains functionality to retrieve additional payloads from hardcoded URLs (‘The payload contains the functionality to retrieve additional payload from the URLs that can be hardcoded in the binary’).
  • [T1056.001] Input Capture: Keylogging – Implements keyboard hooks to capture keystrokes (‘the backdoor features keylogging functionality through keyboard hooking’).
  • [T1041] Exfiltration Over C2 Channel (SMTP) – System information is sent to attacker-controlled email addresses via SMTP (‘XRed collects system information … and transmits this data to the attacker using SMTP to email addresses shown’).
  • [T1071] Application Layer Protocol: C2 Commands – Remote shell and command execution implemented via attacker server commands (e.g., GetCMDAccess, GetScreenImage, ListDisk) (‘The following remote commands can be executed from attacker’s server … GetCMDAccess – obtaining command prompt access.’).
  • [T1091] Replication Through Removable Media – Creates autorun.inf on inserted USB drives to auto-execute Synaptics.exe (‘it verifies the presence of an “autorun.inf” file on any inserted drive; if absent, it generates the file and includes the following: [autorun] open=Synaptics.exe shellexecute= Synaptics.exe’).
  • [T1059.007] Command and Scripting Interpreter: Macro – Embedded password-protected VBA macro injects malicious code into XLSM files and disables macro security warnings via the registry (‘The embedded password-protected VBA script … injects the malicious VBA code into them … disables security warnings for VBA macros via the registry’).
  • [T1564.001] Hide Artifacts: Hidden Files and Directories – Payload stored in a hidden folder C:ProgramDataSynaptics and files given hidden attributes (‘The trojanized version … drops Synaptics.exe payload under C:ProgramDataSynaptics … The folder was hidden to ensure stealthiness’).

Indicators of Compromise

  • [File Hash] Malicious binaries – 54efba3a1e800e0a0cccddc7950476c646935d28 (Synaptics.exe), 8fe9734738d9851113a7ac5f8f484d29 (Windows InstantView.exe)
  • [Filenames/Paths] Dropped payload and decoy – C:ProgramDataSynapticsSynaptics.exe; Windows InstantView.exe (trojanized and legitimate variants)
  • [Registry] Persistence key – HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun -> ‘Synaptics Pointing Device Driver’ = ‘C:ProgramDataSynapticsSynaptics.exe’
  • [Autorun] USB propagation content – autorun.inf entries with ‘open=Synaptics.exe’ and ‘shellexecute= Synaptics.exe’
  • [Documents] Macro propagation filename pattern – injected into existing .XLSM files and copies payload as ‘~$cache1’ in the document directory
  • [Network] Download/command-and-control URLs – hardcoded payload retrieval URLs and attacker SMTP addresses shown in figures (examples were reported but are currently offline)

The trojanized Windows InstantView installer embeds a hidden Synaptics.exe payload (XRed) and launches a downloaded legitimate InstantView binary as a decoy. On execution the installer drops Synaptics.exe to C:ProgramDataSynaptics (hidden), creates a Registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun named “Synaptics Pointing Device Driver” to maintain persistence, and checks a mutex (“Synaptics2X”) to enforce a single running instance.

XRed contains C2/backdoor capabilities: it can retrieve additional payloads from hardcoded URLs, execute remote commands (GetCMDAccess, GetScreenImage, ListDisk, ListDir, DownloadFile, DeleteFile), capture screenshots, and exfiltrate collected system identifiers (MAC, username, hostname) via SMTP. It implements keyboard hooking for keylogging, stores a payload version resource (EXEVSNX = 106), and will attempt ingress tool transfer for further modules when contacted by its C2.

For propagation and lateral spread, XRed generates autorun.inf entries on removable media to auto-launch Synaptics.exe and carries an embedded, password-protected VBA macro that copies itself into existing .XLSM files, disables Office macro warnings via registry changes, and places a hidden copy of Synaptics.exe (named like ‘~$cache1’) into the document directory; if local files are absent the macro will attempt to download the backdoor from listed URLs (currently offline). Detection should focus on the listed hashes and filenames, the HKCU Run registry value, hidden ProgramDataSynaptics content, autorun.inf behavior on removable media, and unusual SMTP traffic to attacker addresses.

Read more: https://www.esentire.com/blog/xred-backdoor-the-hidden-threat-in-trojanized-programs

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint