Threat Research

Latest Xloader Obfuscation Methods and Network Protocol

ZScaler
Latest Xloader Obfuscation Methods and Network Protocol
The Zscaler ThreatLabz analysis details Xloader (rebranded from FormBook), highlighting enhanced obfuscation since version 8.1 and a comprehensive breakdown of its multi-layered HTTP network protocol and encryption. The report describes runtime function decryption, opaque predicates, multiple RC4 encryption stages, decoy C2 IP lists, and HTTP GET/POST commands used to exfiltrate browser and email credentials and to download and execute secondary payloads. #Xloader #Formbook

Keypoints

  • Xloader is a rebranded evolution of FormBook that continues to receive feature and obfuscation updates (latest observed version 8.7).
  • Since version 8.1, the malware added more sophisticated obfuscation: out-of-order stack parameter construction, encrypted function blocks, opaque predicates, and XOR-based constant/prologue obfuscation.
  • Xloader uses a multi-stage network encryption scheme (multiple RC4 keys, SHA-1 derivation from C2 URL, Base64 encoding) and deliberately decrypts keys at different phases to hinder analysis.
  • The malware supports HTTP-based C2 via raw TCP sockets or WinINet API, uses PKT2-formatted GET requests and POST requests to exfiltrate credentials, and employs randomized query parameters and decoy C2 IPs to evade sandboxing.
  • Xloader collects credentials and cookies from browsers and email clients, can execute arbitrary commands (PowerShell, EXE, DLL), download and run secondary payloads, update itself, and remove itself.
  • The sample set includes 65 encrypted C2 IP addresses decrypted at runtime and uses decoys, making identification of live C2 servers reliant on active network interaction and emulation.

MITRE Techniques

  • No MITRE ATT&CK technique identifiers (Txxxx) or technique names are explicitly mentioned in the article.

Indicators of Compromise

  • [SHA256 Hash ] sample file hashes reported – 316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785, 59db173fbff74cdab24995a0d3669dabf6b09f7332a0128d4faa68ae2526d39a, and 1 more hash
  • [File names / Paths ] payload examples referenced in network commands – payload.ps1, payload.bin
  • [URLs ] remote payload locations used in commands – https://payload_url/payload.ps1, https://payload_url/payload.bin
  • [C2 IP addresses ] decoy and malicious C2 infrastructure – article notes 65 C2 IP addresses decrypted only at runtime (no specific IPs listed)
  • [Detection Name ] vendor detection used in coverage – Win32.PWS.Xloader

Read more: https://www.zscaler.com/blogs/security-research/latest-xloader-obfuscation-methods-and-network-protocol