1. Home
  2. Software
  3. XTunnel

XTunnel

XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by APT28 during the compromise of the Democratic National Committee. [1] [2] [3]

ID: S0117
Associated Software: Trojan.Shunnael, X-Tunnel, XAPS
Type: MALWARE
Platforms: Windows
Version: 2.1
Created: 31 May 2017
Last Modified: 21 March 2020

Associated Software Descriptions

Name Description
Trojan.Shunnael

[4]
X-Tunnel

[1][4]
XAPS

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

XTunnel has been used to execute remote commands.[1]
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

XTunnel uses SSL/TLS and RC4 to encrypt traffic.[2][3]
Enterprise T1008 Fallback Channels

The C2 server used by XTunnel provides a port number to the victim to use as a fallback in case the connection closes on the currently used port.[3]
Enterprise T1046 Network Service Discovery

XTunnel is capable of probing the network for open ports.[2]
Enterprise T1027 Obfuscated Files or Information

A version of XTunnel introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products.[3]
.001 Binary Padding

A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products.[3]
Enterprise T1090 Proxy

XTunnel relays traffic between a C2 server and a victim.[1]
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

XTunnel is capable of accessing locally stored passwords on victims.[2]

Groups That Use This Software

ID Name References
G0007 APT28

[5][4][6][7]

References

  1. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  2. Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.
  3. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  4. Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
  1. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  2. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
  3. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.