XTunnel

XTunnel is a type of malware used by threat groups to gain secure access to compromised environments through a back connection created by the malware to a command and control (C2) server. IRON TWILIGHT, a known threat group, installed XTunnel as a Coreshell child process on an already compromised system in mid-May. To fully exploit the target environment, IRON TWILIGHT also used a modular remote access trojan (RAT) called XAgent and the persistent backchannel tool XTunnel. CrowdStrike discovered that the nearby IP address 23.227.196[.]217 hosted the C2 location for an XTunnel payload used by the Sofacy group in an attack on the Democratic National Committee. This indicates that XTunnel has been utilized by multiple threat groups for malicious purposes. The shift to C# by the long-standing Sofacy XTunnel codebase reminds experts of Zebrocy's practice of re-coding and innovating long-used modules in multiple languages. Recent XTunnel samples are much smaller than past samples, weighing in at around 20KB instead of 1-2MB. In addition to these smaller samples, Sofacy also deployed .NET XTUNNEL variants and their loaders. These findings suggest that while the specific tactics may vary between threat groups, XTunnel remains a popular tool among cybercriminals for compromising systems and stealing or holding data hostage.