XTunnel
XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee. [1] [2] [3]
Associated Software Descriptions
Name | Description |
---|---|
Trojan.Shunnael | |
X-Tunnel | |
XAPS |
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography | |
Enterprise | T1008 | Fallback Channels |
The C2 server used by XTunnel provides a port number to the victim to use as a fallback in case the connection closes on the currently used port.[3] |
|
Enterprise | T1046 | Network Service Scanning |
XTunnel is capable of probing the network for open ports.[2] |
|
Enterprise | T1027 | Obfuscated Files or Information |
A version of XTunnel introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products.[3] |
|
.001 | Binary Padding |
A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products.[3] |
||
Enterprise | T1090 | Proxy | ||
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
XTunnel is capable of accessing locally stored passwords on victims.[2] |
Groups That Use This Software
ID | Name | References |
---|---|---|
G0007 | APT28 |
References
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
- ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
- Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.