Technical Analysis of Xloader Versions 6 and 7 | Part 1 www.zscaler.com/blogs/sec…

Xloader is a malware family that is the successor to Formbook with information stealing capabilities targeting web browsers, email clients, and File Transfer Protocol (FTP) applications. The malware is also able to deploy second-stage payloads to an infected system. The author of Xloader regularly adds new functionality to target more applications and features to increase the volume of data collection that can be sold or used in further attacks. With each update, Xloader’s code includes increasingly complex layers of encryption and obfuscation to complicate analysis. Previously, Zscaler ThreatLabz examined version 4.3 of Xloader, which introduced multi-layer code encryption to conceal its key components.

This blog is a two-part series that provides a technical analysis on updates to Xloader in versions 6 and 7. The first part of this series covers the malware’s latest obfuscation techniques to evade detection and hinder analysis. The second part of this blog series will examine the command-and-control (C2) communication.