Mike Torres — Incident Response Specialist
Key Takeaways
- The XLoader campaign primarily used phishing emails to deliver payloads, showcasing an evolving threat landscape.
- Our investigation revealed the utilization of the Credential Dumping technique, with various methods executed to extract sensitive information from compromised systems.
- Strong detection mechanisms are required to identify unusual behavior patterns indicative of XLoader’s presence in an environment.
Executive Summary
During our analysis of the recent XLoader campaign, we observed an intricate series of infection vectors that target multiple sectors. This campaign is characterized by the use of malicious VBA macros embedded within seemingly benign document attachments. Once executed, these macros facilitate the installation of the XLoader malware, which subsequently communicates with its command and control (C2) servers for further instructions. Our investigation unearthed various tactics, techniques, and procedures (TTPs) employed by the threat actor, providing critical insights into their modus operandi.
Initial Access
The primary method of initial access in this campaign involved the distribution of phishing emails containing attachments masquerading as legitimate documents. We identified a pattern in these emails, often containing urgent subject lines designed to bait users into opening the attachments. Upon opening a document, users are prompted to enable macros, which serves as a crucial step in the delivery process. The malicious VBA script executed initiates the download of the main payload from a remote server, effectively compromising the user’s machine.
Execution & Persistence
Once the XLoader binary is downloaded, it executes with the intention of establishing persistence. Our analysis revealed that the malware employs various persistence mechanisms, notably the creation of scheduled tasks under the user profile. The tasks are scheduled using a command similar to:
schtasks /create /tn
Source: Original Report