XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee.   
Associated Software: Trojan.Shunnael, X-Tunnel, XAPS
Associated Software Descriptions
|Enterprise||T1009||Binary Padding||A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products. |
|Enterprise||T1059||Command-Line Interface||XTunnel has been used to execute remote commands. |
|Enterprise||T1090||Connection Proxy||XTunnel relays traffic between a C2 server and a victim. |
|Enterprise||T1081||Credentials in Files||XTunnel is capable of accessing locally stored passwords on victims. |
|Enterprise||T1008||Fallback Channels||The C2 server used by XTunnel provides a port number to the victim to use as a fallback in case the connection closes on the currently used port. |
|Enterprise||T1046||Network Service Scanning||XTunnel is capable of probing the network for open ports. |
|Enterprise||T1027||Obfuscated Files or Information||A version of XTunnel introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products. |
|Enterprise||T1105||Remote File Copy||XTunnel is capable of downloading additional files. |
|Enterprise||T1032||Standard Cryptographic Protocol||XTunnel uses SSL/TLS and RC4 to encrypt traffic.  |
Groups That Use This Software
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.