Register to stream ATT&CKcon 2.0 October 29-30

XTunnel

XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee. [1] [2] [3]

ID: S0117
Associated Software: Trojan.Shunnael, X-Tunnel, XAPS
Type: MALWARE
Platforms: Windows
Version: 2.0

Associated Software Descriptions

Name Description
Trojan.Shunnael [4]
X-Tunnel [1][4]
XAPS [3]

Techniques Used

Domain ID Name Use
Enterprise T1009 Binary Padding A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products. [3]
Enterprise T1059 Command-Line Interface XTunnel has been used to execute remote commands. [1]
Enterprise T1090 Connection Proxy XTunnel relays traffic between a C2 server and a victim. [1]
Enterprise T1081 Credentials in Files XTunnel is capable of accessing locally stored passwords on victims. [2]
Enterprise T1008 Fallback Channels The C2 server used by XTunnel provides a port number to the victim to use as a fallback in case the connection closes on the currently used port. [3]
Enterprise T1046 Network Service Scanning XTunnel is capable of probing the network for open ports. [2]
Enterprise T1027 Obfuscated Files or Information A version of XTunnel introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products. [3]
Enterprise T1105 Remote File Copy XTunnel is capable of downloading additional files. [2]
Enterprise T1032 Standard Cryptographic Protocol XTunnel uses SSL/TLS and RC4 to encrypt traffic. [2] [3]

Groups That Use This Software

ID Name References
G0007 APT28 [5] [4]

References