Threat Research

XLoader Botnet: Find Me If You Can – Check Point Research

Securonix

Checkpoint researchers analyze the evolution of XLoader, focusing on how the botnet camouflages its real C2 servers among 64 decoy domains and how later versions smarterly rotate domains to evade analysis. The article details 2.5 and 2.6 updates that use probabilistic domain selection and indexing to keep the real C2 hidden while preserving botnet control.
Read more: https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/

Keypoints

  • The 64 domains in XLoader’s configuration are decoys; researchers focus on identifying the real C2 server among them.
  • The real C&C domain is disguised and can point to legitimate-looking parked pages (Hostinger/Namecheap) to mislead investigators.
  • XLoader 2.5 adds a mechanism that overwrites the first 8 domains in the list with new random values each cycle, while the rest remain static.
  • There is a probabilistic model showing how often the real C2 appears in the domain list, with outputs like 7/64 and 1/8 depending on position and timing.
  • XLoader 2.6 stores the real C2 index in state so the real server is contacted every cycle (80–90 seconds) on x64, and behaves differently on x86 sandbox environments.
  • Overall, researchers estimate fewer than 0.12% of the 100,000+ tested domains are actual C2 servers, underscoring the effectiveness of the deception.
  • The analysis emphasizes that attackers continuously advance their evasion techniques to keep the botnet operational and hard to dissect.

MITRE Techniques

  • [T1071.001] Web Protocols – The C2 communication relies on domain names, using decoy domains to hide the real server. “The 64 domains from the malware configuration are actually decoys, intended to distract the researchers’ attention.”
  • [T1036] Masquerading – Real C&C servers are disguised as Hostinger and Namecheap parked domain pages. “Real C&C servers disguised as Hostinger and Namecheap parked domain pages.”
  • [T1497.001] Virtualization/Sandbox Evasion – Different behavior on x64 vs. x86 to defeat sandbox analysis. “However, this logic is activated only when the malware runs in an x64 system. When it runs in an x86 system, the variable real_c2_index stores the same value as is stored in the fake_c2_index.”
  • [T1564.001] Hide Artifacts – Real C2 servers are hidden within a larger set of decoys to conceal their presence. “The 64 domains… are actually decoys, intended to distract…”
  • [T1071.001] Web Protocols (additional) – In XLoader 2.6, the real C2 is accessed in every communication cycle (80–90 seconds), illustrating persistent C2 callback over web channels. “the real C&C server is now accessed in every communication cycle, or once in approximately 80-90 seconds.”

Indicators of Compromise

  • [Domain] Fake decoy domains used for C2 hosting – bubu3cin.com, hype-clicks.com (Fake Hostinger) and other decoys
  • [IP] Associated decoy host IPs used for parked pages – 162.0.214.189, 162.0.223.146
  • [MD5] Root page fingerprints for fake parked domains – ce866938b246a89fd98fc6a6f666d21c, f891f22cd94c80844fcfe6fddb4b7912
  • [SHA256] XLoader samples and C2 indicators – c3bf0677dfcb32b35defb6650e1f81ccfa2080e934af6ef926fd378091a25fdb, 77ed8c0589576ecaf87167bc9e178b15da57f7b341ea2fda624ecc5874b1464b

Read more: https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/