BleepingComputer reports that threat actors have updated the XLoader botnet malware to leverage the probability theory in an effort to better conceal its command-and-control servers without the need to change infrastructure.
Based on Formbook, the XLoader info-stealer was able to disguise its C2 by cloaking the actual domain name among 63 decoys in version 2.3 but the newer 2.5 and 2.6 versions of the malware enabled overwriting of eight domains out of the 64 from the configuration list, according to a Check Point report."If the real C&C domain appears in the second part of the list, it is accessed in every cycle once in approximately every 80-90 seconds. If it appears in the first part of the list, it will be overwritten by another random domain name... The eight domains that overwrite the first part of the list are chosen randomly, and the real C&C domain might be one of them. In this case, the probability that a real C&C server will be accessed in the next cycle is 7/64 or 1/8 depending on the position of the "fake c2 (2)" domain," said researchers.