Invincea researchers claim that the XTunnel malware, used by the Russian APT threat actor Fancy Bear to break in the Democrat National Committee network in April, has been specifically build for DNC hack.
This was the second time DNC has been targeted as another cyber-crime gang named Cozy Bear succeeded in getting access to the network in the summer of last year. After Yahoo started alerting DNC about potential compromises, both attacks were investigated by Crowdstrike.
After a deeper analysis on the XTunnel, Invincea experts didn’t seem to have found anything that the malware has in common with any other threats. Based on this they came to the conclusion that it could be a “purpose-built original piece of code” specifically designed to break through the DNC network.
Researchers also discovered that XTunnel I fully equipped to compromise its target without facing any obstacles. It has VPN-style capabilities, uses private encryption keys, it has the ability to compress and decompress data and exchanges SSH keys. The malware can also get access to stored passwords and the LDAP server.
Moreover, being a modular threat, XTunnel can send and receive email messages, search the network for open ports and PING host and it can even download additional files when necessary. It was also spotted accessing USB drives and webcams, as well as monitoring keyboard and mouse motions. A lot of the malware`s capabilities are actually provided by legitimate programs.
According to Invincea`s expert Pat Belcher, some of the most threatening abilities of XTunnel are “to hook into system drivers, access the local LDAP server, access local passwords, use SSH, OpenSSL, search and replace local files, and of course be able to maintain a persistent connection to a pre-specified IP address, even if the host is behind a NATed firewall. That is a lot of capabilities packed into a file that is less than 2 MB in size.”
Another thing that surprised the analysts was the fact that, unlike most malware codes which are heavily obfuscated to make the work of the researchers harder, this particular one is not. It, actually, reveals pretty clearly what the binary`s intentions are. Experts say that it is so transparently done “as if it were originally developed to be an open source tool to provide encrypted tunnel access to internet hosts.”
The crooks behind XTunnel managed to create a fully encrypted, end-to-end Remote Access Trojan (RAT) with help of a very old but reliable network module. This exact module was associated with softphone and VoIP applications more than 10 years ago. Therefore, the DNC wasn’t expected to detect the malware`s activity before it has already managed to break through.
Invincea`s researchers state that this kind of activity would have been extremely difficult to detect given that fact that many organizations run a firewall configuration where inside hosts are allowed outbound without restrictions. And even a restricted outbound access wouldn’t have prevented the attack. It just would have forced XTunnel to use ICMP or UDP protocols to connect to the Russian C&C server.