Throughout the Xloader malware there are multiple structures of encrypted blocks of data and code. Xloader C2 communications capture Decoy and Real C2 Servers We will explain the encryption algorithms in the following sections.įigure 1.
In both cases, the GET parameters and the POST data share a similar format and are encrypted as shown in Figure 1. Afterwards, the malware makes HTTP POST requests to the C2 to exfiltrate information such as screenshots, stolen data, etc. An HTTP GET query is sent as a form of registration. Xloader and Formbook use HTTP to communicate with the C2 server. This analysis focuses specifically on the Windows version of Xloader. Note that Xloader is cross-platform with the ability to run on Microsoft Windows and MacOS. In this blog post, we perform a detailed analysis of Xloader’s C2 network encryption and communication protocol. Previous blog posts have analyzed various aspects of Formbook and Xloader’s obfuscation.
#Mce remote mapper rc4 code#
With the arrival of Xloader, the malware authors also stopped selling the panel’s code together with the malware executable. In October 2020, Formbook was rebranded as Xloader and some significant improvements were introduced, especially related to the command and control (C2) network encryption. Xloader is an information stealing malware that is the successor to Formbook, which had been sold in hacking forums since early 2016.
0 kommentar(er)
