Skip to content

S0117 XTunnel

XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee. 1 2 3

Item Value
ID S0117
Associated Names Trojan.Shunnael, X-Tunnel, XAPS
Type MALWARE
Version 2.1
Created 31 May 2017
Last Modified 21 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Trojan.Shunnael 4
X-Tunnel 14
XAPS 3

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell XTunnel has been used to execute remote commands.1
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography XTunnel uses SSL/TLS and RC4 to encrypt traffic.23
enterprise T1008 Fallback Channels The C2 server used by XTunnel provides a port number to the victim to use as a fallback in case the connection closes on the currently used port.3
enterprise T1046 Network Service Discovery XTunnel is capable of probing the network for open ports.2
enterprise T1027 Obfuscated Files or Information A version of XTunnel introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products.3
enterprise T1027.001 Binary Padding A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products.3
enterprise T1090 Proxy XTunnel relays traffic between a C2 server and a victim.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files XTunnel is capable of accessing locally stored passwords on victims.2

Groups That Use This Software

ID Name References
G0007 APT28 5467

References

Back to top