S0117 XTunnel
XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee. 1 2 3
| Item | Value |
|---|---|
| ID | S0117 |
| Associated Names | Trojan.Shunnael, X-Tunnel, XAPS |
| Type | MALWARE |
| Version | 2.1 |
| Created | 31 May 2017 |
| Last Modified | 21 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Trojan.Shunnael | 4 |
| X-Tunnel | 14 |
| XAPS | 3 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | XTunnel has been used to execute remote commands.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | XTunnel uses SSL/TLS and RC4 to encrypt traffic.23 |
| enterprise | T1008 | Fallback Channels | The C2 server used by XTunnel provides a port number to the victim to use as a fallback in case the connection closes on the currently used port.3 |
| enterprise | T1046 | Network Service Discovery | XTunnel is capable of probing the network for open ports.2 |
| enterprise | T1027 | Obfuscated Files or Information | A version of XTunnel introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products.3 |
| enterprise | T1027.001 | Binary Padding | A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products.3 |
| enterprise | T1090 | Proxy | XTunnel relays traffic between a C2 server and a victim.1 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | XTunnel is capable of accessing locally stored passwords on victims.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | 5467 |
References
-
Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. ↩↩↩↩
-
Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016. ↩↩↩↩
-
ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. ↩↩↩↩↩↩
-
Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018. ↩↩↩
-
ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. ↩
-
Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. ↩
-
Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022. ↩