Zscaler ThreatLabZ: Analysis of Xloader’s C2 Network Encryption
January 2022 by Zscaler
Zscaler has recently released a new blog titled Analysis of Xloader’s C2 Network Encryption, exploring the capabilities of Xloader, an information stealing malware which is the successor to Formbook.
Xloader is a well-developed malware family that has numerous techniques to mislead researchers and hinder malware analysis, including multiple layers of encryption and a custom virtual machine. Although the malware authors are focusing on the rebranded Xloader, both strains are still quite active today. For example, Formbook is being used by threat actors using the leaked panel source code and self-managing the C2, while the original authors have continued to sell Xloader as MaaS, supporting and renting the servers infrastructure.
Addressing the analysis, Nicolas Casimir, CISO EMEA at Zscaler comments:
“IT teams need to up level their security hygiene to keep track with the changing nature of ransomware as complacency is the biggest enemy in the fight against these kinds of attacks. Nowadays, companies publish more information about their infrastructure online than they should, and they are often completely unaware that they have done so. A reduced attack surface goes along with knowing, what is exposed to the internet, SSL inspection, enforced network segmentation next to overall greater security hygiene. In contrast to traditional approaches to security, zero trust network access (ZTNA) can help to significantly reduce a company’s vulnerability to attack.”