XTunnel

Malware updated 6 months ago (2024-05-04T17:56:06.350Z)
Download STIX
Preview STIX
XTunnel is a type of malware used by threat groups to gain secure access to compromised environments through a back connection created by the malware to a command and control (C2) server. IRON TWILIGHT, a known threat group, installed XTunnel as a Coreshell child process on an already compromised system in mid-May. To fully exploit the target environment, IRON TWILIGHT also used a modular remote access trojan (RAT) called XAgent and the persistent backchannel tool XTunnel. CrowdStrike discovered that the nearby IP address 23.227.196[.]217 hosted the C2 location for an XTunnel payload used by the Sofacy group in an attack on the Democratic National Committee. This indicates that XTunnel has been utilized by multiple threat groups for malicious purposes. The shift to C# by the long-standing Sofacy XTunnel codebase reminds experts of Zebrocy's practice of re-coding and innovating long-used modules in multiple languages. Recent XTunnel samples are much smaller than past samples, weighing in at around 20KB instead of 1-2MB. In addition to these smaller samples, Sofacy also deployed .NET XTUNNEL variants and their loaders. These findings suggest that while the specific tactics may vary between threat groups, XTunnel remains a popular tool among cybercriminals for compromising systems and stealing or holding data hostage.
Description last updated: 2023-06-23T17:45:13.906Z
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the XTunnel Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago