SYMBOLCOMMON_NAMEaka. SYNONYMS
win.xtunnel (Back to overview)

XTunnel

aka: Shunnael, X-Tunnel, xaps

Actor(s): Sofacy


X-Tunnel is a network proxy tool that implements a custom network protocol encapsulated in the TLS protocol.

References
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-06-09Kaspersky LabsCostin Raiu
@online{raiu:20200609:looking:3038dce, author = {Costin Raiu}, title = {{Looking at Big Threats Using Code Similarity. Part 1}}, date = {2020-06-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/big-threats-using-code-similarity-part-1/97239/}, language = {English}, urldate = {2020-08-18} } Looking at Big Threats Using Code Similarity. Part 1
Penquin Turla CCleaner Backdoor EternalPetya Regin WannaCryptor XTunnel
2020SecureworksSecureWorks
@online{secureworks:2020:iron:48c68a0, author = {SecureWorks}, title = {{IRON TWILIGHT}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-twilight}, language = {English}, urldate = {2020-05-23} } IRON TWILIGHT
X-Agent X-Agent X-Agent Computrace HideDRV Sedreco Seduploader X-Agent XTunnel Zebrocy Zebrocy (AutoIT)
2018-10-04SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181004:apt28:97a1356, author = {Critical Attack Discovery and Intelligence Team}, title = {{APT28: New Espionage Operations Target Military and Government Organizations}}, date = {2018-10-04}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government}, language = {English}, urldate = {2020-04-21} } APT28: New Espionage Operations Target Military and Government Organizations
LoJax Seduploader X-Agent XTunnel Zebrocy Sofacy
2018-10-04SymantecSecurity Response Attack Investigation Team
@online{team:20181004:apt28:f5e15cf, author = {Security Response Attack Investigation Team}, title = {{APT28: New Espionage Operations Target Military and Government Organizations}}, date = {2018-10-04}, organization = {Symantec}, url = {https://www.symantec.com/blogs/election-security/apt28-espionage-military-government}, language = {English}, urldate = {2019-11-23} } APT28: New Espionage Operations Target Military and Government Organizations
XTunnel Sofacy
2017-02-20Contagio DumpMila Parkour
@online{parkour:20170220:part:c54b5de, author = {Mila Parkour}, title = {{Part I. Russian APT - APT28 collection of samples including OSX XAgent}}, date = {2017-02-20}, organization = {Contagio Dump}, url = {https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html}, language = {English}, urldate = {2019-11-26} } Part I. Russian APT - APT28 collection of samples including OSX XAgent
X-Agent Komplex Coreshell Downdelph HideDRV SEADADDY Sedreco Seduploader X-Agent XTunnel
2016-10-20ESET ResearchESET Research
@techreport{research:20161020:en:e2e6603, author = {ESET Research}, title = {{En Route with Sednit Part 2: Observing the Comings and Goings}}, date = {2016-10-20}, institution = {ESET Research}, url = {http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf}, language = {English}, urldate = {2019-10-25} } En Route with Sednit Part 2: Observing the Comings and Goings
X-Agent Sedreco X-Agent XTunnel
2016-06-15CrowdStrikeDmitri Alperovitch
@online{alperovitch:20160615:bears:604c1d9, author = {Dmitri Alperovitch}, title = {{Bears in the Midst: Intrusion into the Democratic National Committee}}, date = {2016-06-15}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/}, language = {English}, urldate = {2022-03-14} } Bears in the Midst: Intrusion into the Democratic National Committee
X-Agent ATI-Agent SEADADDY Seduploader X-Agent XTunnel Sofacy
2015-11-20MicrosoftMicrosoft
@techreport{microsoft:20151120:microsoft:d41c5ad, author = {Microsoft}, title = {{Microsoft Security Intelligence Report Volume 19}}, date = {2015-11-20}, institution = {Microsoft}, url = {http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf}, language = {English}, urldate = {2020-01-13} } Microsoft Security Intelligence Report Volume 19
XTunnel
2015-08root9broot9b
@techreport{root9b:201508:technical:fff6a0b, author = {root9b}, title = {{TECHNICAL FOLLOW UP - APT28}}, date = {2015-08}, institution = {root9b}, url = {https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf}, language = {English}, urldate = {2020-01-08} } TECHNICAL FOLLOW UP - APT28
XTunnel
2015-06-19Netzpolitik.orgClaudio Guarnieri
@online{guarnieri:20150619:digital:6c1a11b, author = {Claudio Guarnieri}, title = {{Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag}}, date = {2015-06-19}, organization = {Netzpolitik.org}, url = {https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/}, language = {English}, urldate = {2020-01-10} } Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag
XTunnel Sofacy
Yara Rules
[TLP:WHITE] win_xtunnel_auto (20220516 | Detects win.xtunnel.)
rule win_xtunnel_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.xtunnel."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b742414 89450c 896810 c70200000000 8be8 c7400401000000 }
            // n = 6, score = 1200
            //   8b742414             | mov                 esi, dword ptr [esp + 0x14]
            //   89450c               | mov                 dword ptr [ebp + 0xc], eax
            //   896810               | mov                 dword ptr [eax + 0x10], ebp
            //   c70200000000         | mov                 dword ptr [edx], 0
            //   8be8                 | mov                 ebp, eax
            //   c7400401000000       | mov                 dword ptr [eax + 4], 1

        $sequence_1 = { 0f85d1000000 83780800 0f85c7000000 8b01 48 83f805 }
            // n = 6, score = 1200
            //   0f85d1000000         | jne                 0xd7
            //   83780800             | cmp                 dword ptr [eax + 8], 0
            //   0f85c7000000         | jne                 0xcd
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   48                   | dec                 eax
            //   83f805               | cmp                 eax, 5

        $sequence_2 = { 0f846e080000 57 8b7c2418 83c002 }
            // n = 4, score = 1200
            //   0f846e080000         | je                  0x874
            //   57                   | push                edi
            //   8b7c2418             | mov                 edi, dword ptr [esp + 0x18]
            //   83c002               | add                 eax, 2

        $sequence_3 = { 1bc0 83e02f eb19 8b4904 51 57 e8???????? }
            // n = 7, score = 1200
            //   1bc0                 | sbb                 eax, eax
            //   83e02f               | and                 eax, 0x2f
            //   eb19                 | jmp                 0x1b
            //   8b4904               | mov                 ecx, dword ptr [ecx + 4]
            //   51                   | push                ecx
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_4 = { 0f8469070000 3944242c 0f845f070000 39442430 }
            // n = 4, score = 1200
            //   0f8469070000         | je                  0x76f
            //   3944242c             | cmp                 dword ptr [esp + 0x2c], eax
            //   0f845f070000         | je                  0x765
            //   39442430             | cmp                 dword ptr [esp + 0x30], eax

        $sequence_5 = { ffd0 83c404 3bc5 0f8e5a020000 8b7e58 39aec0000000 }
            // n = 6, score = 1200
            //   ffd0                 | call                eax
            //   83c404               | add                 esp, 4
            //   3bc5                 | cmp                 eax, ebp
            //   0f8e5a020000         | jle                 0x260
            //   8b7e58               | mov                 edi, dword ptr [esi + 0x58]
            //   39aec0000000         | cmp                 dword ptr [esi + 0xc0], ebp

        $sequence_6 = { 0f8466ffffff f7c1fc010000 7413 8b4e20 234c2434 f7c1fc010000 }
            // n = 6, score = 1200
            //   0f8466ffffff         | je                  0xffffff6c
            //   f7c1fc010000         | test                ecx, 0x1fc
            //   7413                 | je                  0x15
            //   8b4e20               | mov                 ecx, dword ptr [esi + 0x20]
            //   234c2434             | and                 ecx, dword ptr [esp + 0x34]
            //   f7c1fc010000         | test                ecx, 0x1fc

        $sequence_7 = { 0f85d2fcffff 837f6c00 0f851a010000 837c241001 }
            // n = 4, score = 1200
            //   0f85d2fcffff         | jne                 0xfffffcd8
            //   837f6c00             | cmp                 dword ptr [edi + 0x6c], 0
            //   0f851a010000         | jne                 0x120
            //   837c241001           | cmp                 dword ptr [esp + 0x10], 1

        $sequence_8 = { 8b11 83c202 52 e8???????? }
            // n = 4, score = 1200
            //   8b11                 | mov                 edx, dword ptr [ecx]
            //   83c202               | add                 edx, 2
            //   52                   | push                edx
            //   e8????????           |                     

        $sequence_9 = { e8???????? 99 b960000000 f7f9 }
            // n = 4, score = 1200
            //   e8????????           |                     
            //   99                   | cdq                 
            //   b960000000           | mov                 ecx, 0x60
            //   f7f9                 | idiv                ecx

        $sequence_10 = { c7010c000000 5e 5d c3 6a00 }
            // n = 5, score = 1100
            //   c7010c000000         | mov                 dword ptr [ecx], 0xc
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   6a00                 | push                0

        $sequence_11 = { 8b510c 89500c 8b5120 895020 8b4910 }
            // n = 5, score = 1000
            //   8b510c               | mov                 edx, dword ptr [ecx + 0xc]
            //   89500c               | mov                 dword ptr [eax + 0xc], edx
            //   8b5120               | mov                 edx, dword ptr [ecx + 0x20]
            //   895020               | mov                 dword ptr [eax + 0x20], edx
            //   8b4910               | mov                 ecx, dword ptr [ecx + 0x10]

        $sequence_12 = { 8b5620 895020 8b4e10 894810 eb02 }
            // n = 5, score = 1000
            //   8b5620               | mov                 edx, dword ptr [esi + 0x20]
            //   895020               | mov                 dword ptr [eax + 0x20], edx
            //   8b4e10               | mov                 ecx, dword ptr [esi + 0x10]
            //   894810               | mov                 dword ptr [eax + 0x10], ecx
            //   eb02                 | jmp                 4

        $sequence_13 = { 8b4e34 c6411401 8b5634 c6421501 c645fc03 6a18 }
            // n = 6, score = 1000
            //   8b4e34               | mov                 ecx, dword ptr [esi + 0x34]
            //   c6411401             | mov                 byte ptr [ecx + 0x14], 1
            //   8b5634               | mov                 edx, dword ptr [esi + 0x34]
            //   c6421501             | mov                 byte ptr [edx + 0x15], 1
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   6a18                 | push                0x18

        $sequence_14 = { 8bf8 83c404 897dec 33db 895dfc }
            // n = 5, score = 1000
            //   8bf8                 | mov                 edi, eax
            //   83c404               | add                 esp, 4
            //   897dec               | mov                 dword ptr [ebp - 0x14], edi
            //   33db                 | xor                 ebx, ebx
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx

        $sequence_15 = { 8bd8 8b7d08 0fb7f6 c745fcffffffff 8d4750 8d550c 89750c }
            // n = 7, score = 1000
            //   8bd8                 | mov                 ebx, eax
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   0fb7f6               | movzx               esi, si
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   8d4750               | lea                 eax, [edi + 0x50]
            //   8d550c               | lea                 edx, [ebp + 0xc]
            //   89750c               | mov                 dword ptr [ebp + 0xc], esi

        $sequence_16 = { 895dfc 3bfb 740a 8b450c e8???????? 8bd8 }
            // n = 6, score = 1000
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   3bfb                 | cmp                 edi, ebx
            //   740a                 | je                  0xc
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax

        $sequence_17 = { 8d550c 8d4740 89750c e8???????? 89450c 8d45f0 50 }
            // n = 7, score = 1000
            //   8d550c               | lea                 edx, [ebp + 0xc]
            //   8d4740               | lea                 eax, [edi + 0x40]
            //   89750c               | mov                 dword ptr [ebp + 0xc], esi
            //   e8????????           |                     
            //   89450c               | mov                 dword ptr [ebp + 0xc], eax
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax

        $sequence_18 = { 8b4e04 894804 0fb75608 66895008 8b4e18 894818 8b16 }
            // n = 7, score = 1000
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   894804               | mov                 dword ptr [eax + 4], ecx
            //   0fb75608             | movzx               edx, word ptr [esi + 8]
            //   66895008             | mov                 word ptr [eax + 8], dx
            //   8b4e18               | mov                 ecx, dword ptr [esi + 0x18]
            //   894818               | mov                 dword ptr [eax + 0x18], ecx
            //   8b16                 | mov                 edx, dword ptr [esi]

        $sequence_19 = { 83c404 8945b0 8b45b4 50 6a00 }
            // n = 5, score = 500
            //   83c404               | add                 esp, 4
            //   8945b0               | mov                 dword ptr [ebp - 0x50], eax
            //   8b45b4               | mov                 eax, dword ptr [ebp - 0x4c]
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_20 = { c685c5e7ffff59 c685c6e7ffffe8 c685c7e7ffff8d c685c8e7ffff9b c685c9e7ffff9e c685cae7ffff80 c685cbe7ffff46 }
            // n = 7, score = 300
            //   c685c5e7ffff59       | mov                 byte ptr [ebp - 0x183b], 0x59
            //   c685c6e7ffffe8       | mov                 byte ptr [ebp - 0x183a], 0xe8
            //   c685c7e7ffff8d       | mov                 byte ptr [ebp - 0x1839], 0x8d
            //   c685c8e7ffff9b       | mov                 byte ptr [ebp - 0x1838], 0x9b
            //   c685c9e7ffff9e       | mov                 byte ptr [ebp - 0x1837], 0x9e
            //   c685cae7ffff80       | mov                 byte ptr [ebp - 0x1836], 0x80
            //   c685cbe7ffff46       | mov                 byte ptr [ebp - 0x1835], 0x46

        $sequence_21 = { c685c5e8ffff58 c685c6e8ffffd0 c685c7e8ffffb1 c685c8e8ffff93 }
            // n = 4, score = 300
            //   c685c5e8ffff58       | mov                 byte ptr [ebp - 0x173b], 0x58
            //   c685c6e8ffffd0       | mov                 byte ptr [ebp - 0x173a], 0xd0
            //   c685c7e8ffffb1       | mov                 byte ptr [ebp - 0x1739], 0xb1
            //   c685c8e8ffff93       | mov                 byte ptr [ebp - 0x1738], 0x93

        $sequence_22 = { c685c5e9ffffc1 c685c6e9fffffb c685c7e9ffff36 c685c8e9ffffe9 }
            // n = 4, score = 300
            //   c685c5e9ffffc1       | mov                 byte ptr [ebp - 0x163b], 0xc1
            //   c685c6e9fffffb       | mov                 byte ptr [ebp - 0x163a], 0xfb
            //   c685c7e9ffff36       | mov                 byte ptr [ebp - 0x1639], 0x36
            //   c685c8e9ffffe9       | mov                 byte ptr [ebp - 0x1638], 0xe9

        $sequence_23 = { c685c5eaffff19 c685c6eaffffb8 c685c7eaffffff c685c8eaffff4c }
            // n = 4, score = 300
            //   c685c5eaffff19       | mov                 byte ptr [ebp - 0x153b], 0x19
            //   c685c6eaffffb8       | mov                 byte ptr [ebp - 0x153a], 0xb8
            //   c685c7eaffffff       | mov                 byte ptr [ebp - 0x1539], 0xff
            //   c685c8eaffff4c       | mov                 byte ptr [ebp - 0x1538], 0x4c

    condition:
        7 of them and filesize < 4634440
}
[TLP:WHITE] win_xtunnel_w0   (20170410 | No description)
rule win_xtunnel_w0 {
  meta:
    author = "Claudio Guarnieri"
    source = "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/"
    malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel"
        malpedia_version = "20170410"
    malpedia_license = "CC BY-NC-SA 4.0"
    malpedia_sharing = "TLP:WHITE"

  strings:
    $xaps = ":\\PROJECT\\XAPS_"

    $variant11 = "XAPS_OBJECTIVE.dll"
    $variant12 = "start"

    $variant21 = "User-Agent: Mozilla/5.0 (Windows NT 6.3;WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
    $variant22 = "is you live?"

    $mix1 = "176.31.112.10"
    $mix2 = "error in select, errno %d"
    $mix3 = "no msg"
    $mix4 = "is you live?"
    $mix5 = "127.0.0.1"
    $mix6 = "err %d"
    $mix7 = "i`m wait"
    $mix8 = "hello"
    $mix9 = "OpenSSL 1.0.1e 11 Feb 2013"
    $mix10 = "Xtunnel.exe"

  condition:
    ((uint16(0) == 0x5A4D) or (uint16(0) == 0xCFD0)) and (($xaps) or (all of ($variant1*)) or (all of ($variant2*)) or (6 of ($mix*)))
}
Download all Yara Rules