Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

XTunnel

XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee. [1] [2] [3]

ID: S0117
Aliases: XTunnel, X-Tunnel, XAPS
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1009Binary PaddingA version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products.[3]
EnterpriseT1059Command-Line InterfaceXTunnel has been used to execute remote commands.[1]
EnterpriseT1090Connection ProxyXTunnel relays traffic between a C2 server and a victim.[1]
EnterpriseT1081Credentials in FilesXTunnel is capable of accessing locally stored passwords on victims.[2]
EnterpriseT1008Fallback ChannelsThe C2 server used by XTunnel provides a port number to the victim to use as a fallback in case the connection closes on the currently used port.[3]
EnterpriseT1046Network Service ScanningXTunnel is capable of probing the network for open ports.[2]
EnterpriseT1027Obfuscated Files or InformationA version of XTunnel introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products.[3]
EnterpriseT1105Remote File CopyXTunnel is capable of downloading additional files.[2]
EnterpriseT1032Standard Cryptographic ProtocolXTunnel uses SSL/TLS and RC4 to encrypt traffic.[2][3]

Groups

Groups that use this software:

APT28

References