Threat Research

Cyble – Xloader Returns With New Infection Technique

Securonix

Cyble Research Labs analyzed Xloader’s updated infection technique, detailing a multi-stage chain that starts with a phishing email delivering a PDF attachment, then traverses through embedded XLSX and an RTF-triggered dropper to load a final Xloader payload. The campaign uses steganography to hide content in a bitmap and relies on process hollowing, obfuscation, and anti-analysis checks to evade defenses.
#Xloader #Formbook #BunifuUI #MajorRevisionExe #XLNG #ProcessHollowing

Keypoints

  • Xloader is a rebranded Formbook information stealer that exfiltrates credentials, screenshots, keystrokes, and clipboard data to a C2 server.
  • The infection chain begins with spam emails containing a PDF attachment, which leads to a sequence of dropped/embedded files designed to evade user suspicion.
  • Opening the PDF triggers an embedded XLSX, which downloads an RTF document that leverages a Word equation editor vulnerability (CVE-2017-11882) to fetch a .NET payload (vbc.exe).
  • vbc.exe loads a further module (Bunifu.UI.dll) in memory, which is obfuscated and then used to retrieve a hidden bitmap resource, enabling a second stage in memory.
  • The final payload, MajorRevision.exe, uses mutex-based single-instance protection, anti-analysis techniques, and process hollowing to inject into explorer.exe and persist via a registry Run key.

MITRE Techniques

  • [T1566] Phishing – Initial access occurs via spam emails delivering malicious attachments; quote: “Typically, Xloader spreads via spam emails that trick victims into downloading a malicious attachment, such as MS Office documents, PDF documents, etc.”
  • [T1204] User Execution – Execution triggered when a user opens the PDF and the embedded components are dropped; quote: “Upon opening a PDF file, it drops the embedded XLSX file named ‘has been verified. However PDF, JPG, Docx, .xlsx’ into the ‘Temp’ location.”
  • [T1203] Exploitation for Client Execution – The RTF document downloads a .NET payload via an equation editor vulnerability; quote: “The .NET executable file named ‘vbc.exe’ is downloaded from the RTF document via equation editor vulnerability (CVE-2017-11882) and is an obfuscated binary file.”
  • [T1547] Registry Run Keys / Startup Folder – Persistence via a Run key to auto-start the dropped malware; quote: “the malware creates the below registry key for autorun to execute the dropped malware file when the user logs in to the system.”
  • [T1497] Virtualization/Sandbox Evasion – Anti-analysis checks to hinder execution in controlled environments; quote: “Contains multiple Anti-Analysis and Anti-Detection checks to prevent the execution of the malware in a controlled environment.”
  • [T1552] Credentials in Files – Exfiltration of browser credentials and sensitive data (cookies, keystrokes, clipboard, screenshots); quote: “Xloader malware uses the magic bytes “XLNG”… steals credentials or cookies from browsers, logs keystrokes, steals clipboard content, takes screenshots.”
  • [T1071] Application Layer Protocol – Command and control communications to the threat actor’s server; quote: “Finally, after a successful connection to the Threat Actor’s C&C server, Xloader can be instructed to download and launch additional payloads…”

Indicators of Compromise

  • [Mutex] fBEQVtAy – used to ensure only one malware instance runs; quote: “it first creates a mutex named “fBEQVtAy” to ensure that only one instance of malware runs on the victims’ system.”
  • [Registry Key] HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRunJ8TPYFN8OVE = “C:Program Files (x86)L9rqlwinmrhl7bm.exe” – persistence mechanism; quote: “the malware creates the below registry key for autorun to execute the dropped malware file when the user logs in to the system.”
  • [File Path] C:Program Files (x86)L9rqlwinmrhl7bm.exe – dropped executable path for persistence; quote: “to establish persistence, the malware creates the below registry key for autorun to execute the dropped malware file…”
  • [File Name] vbc.exe – the downloaded .NET executable from the RTF document; quote: “The .NET executable file named ‘vbc.exe’ is downloaded from the RTF document…”
  • [File Name] MajorRevision.exe – final payload loaded in memory; quote: “The new file decompressed from the resource is another obfuscated .NET binary titled ‘MajorRevision.exe’.”
  • [URL] hxxps://[email protected]/Nmtw – RTF/RTF-to-EXE download URL; quote: “download RTF file from C&C”
  • [URL] hxxp://192.227.173.33/71/vbc.exe – final payload download URL; quote: “Download EXE file from C&C”
  • [SHA256] d0c85ba5e6d88e1e0b5f068f125829b4e224b90be2488f2c21317447dc51fb9e – Obfuscated .NET exe Main file
  • [SHA256] 50204673d080635b23b8f219a70e276acd3dd3779543fbd4b82a217c06dc14fb – De-obfuscated .NET exe Main file
  • [SHA256] d0c85ba5e6d88e1e0b5f068f125829b4e224b90be2488f2c21317447dc51fb9e – (duplicate reference in table context)
  • [MD5] afa05a84f53f793fdad59d8af603b497 – Spam email
  • [MD5] 96d95ee6d0c9da16d245579ad1ff2e9f – PDF

Read more: https://blog.cyble.com/2022/07/01/xloader-returns-with-new-infection-technique/