Zscaler’s ThreatLabz threat research team recently has spotted a new variant of the emerging X-FILES infostealer attack with enhanced features to exfiltrate sensitive information. X-FILES is a stealer that aims to steal sensitive information, including logins and financial data.
This blog will walk through the differences between the variants of X-FILES that we have observed until now, including differences in features, attack chains, and command-and-control (C2) patterns. Following our in-depth analysis, we’ll include a tabular feature comparison.
X-FILES stealer was first observed in March 2021 by 3xp0rt. A second variant was observed in the month of December, 2021 again by 3xp0rt.
In June 2022, ThreatLabz discovered a revised version of the stealer.
We have observed that the malware is mostly coming from phishing domains hosted on Russian IPs. Even the C2 panel (xfilesreborn[.]ru), for the latest variant, is hosted on Russian IP (46[.]8[.]153[.]137).
Recently, it has been seen that the threat actors are now exploiting the Follina vulnerability to deliver X-FILES stealer.
Like other infostealers, X-FILES aims to steal and exfiltrate sensitive information such as saved browser credentials, Crypto wallets, FTP credentials, and credit card information.
All the variants that we have stumbled upon are written using C# programming language, with new features added over time by the threat actors.
With the latest variant, the threat actors have switched to hiding interesting strings in base64 format rather than keeping it in plain text format. Changes in C2 patterns are also observed.
Our ..
Support the originator by clicking the read the rest link below.
