CXCLNT (Backdoor) – Malware

Overview

CXCLNT is a sophisticated malware tool that has been observed in recent cyberattacks, notably within the operations of advanced persistent threat (APT) groups. This malware is particularly adept at compromising systems through subtle and effective means, allowing threat actors to maintain long-term control over their targets. Often associated with larger, strategic campaigns aimed at high-value sectors such as military, aerospace, and manufacturing, CXCLNT is not merely a tool for initial system compromise but also a powerful agent for post-exploitation activities. Its advanced functionality enables it to serve a variety of malicious purposes, from data exfiltration to facilitating further attacks on victim networks.

CXCLNT is designed to execute a range of tasks that contribute to the overall effectiveness of an attack campaign. Upon infiltration, CXCLNT establishes persistence within the compromised system, allowing threat actors to maintain control even after initial detection attempts by security measures. This is achieved through a series of methods that include file uploads and downloads, clearing traces, and collecting critical system information such as computer names and file listings. Its ability to move laterally within networks and deploy additional malicious payloads further amplifies its threat, as it enables attackers to escalate their privileges and spread the infection to other interconnected systems.

Targets

Information

How they operate

Initial Infection and Execution

CXCLNT typically gains access to target systems through the exploitation of vulnerabilities in remote access software or enterprise resource planning (ERP) systems. Once deployed, CXCLNT often makes use of tools like UltraVNC, a legitimate program that allows attackers to remotely control the victim’s system. Through UltraVNC, the malware is able to run executable payloads without raising suspicion. The initial payload is then executed on the victim’s machine, usually through a remote desktop or side-loaded from a compromised legitimate application.

Upon execution, CXCLNT starts by copying essential components, such as a new service (commonly referred to as “ASProxys”) that ensures persistence on the system. The service is configured to start automatically upon reboot by using the “-s” argument in its command line, which guarantees that the malware remains active even after the victim restarts their system. These steps create an invisible entry point that allows CXCLNT to run continuously, avoiding detection by basic security measures.

Privilege Escalation and Post-Exploitation

Once the malware is executed, it seeks to escalate its privileges. CXCLNT does this by exploiting the Windows “winsrv.exe” process to extract the access token from “Winlogon.exe” and impersonate a higher-privileged user. This enables the malware to gain elevated system rights, allowing it to execute commands with administrative privileges. The elevated privileges are critical as they allow CXCLNT to carry out further malicious activities, including credential dumping and disabling antivirus protection.

During the post-exploitation phase, CXCLNT employs several techniques to avoid detection and maintain control over the infected system. One notable method is the use of UAC (User Account Control) bypass techniques, which prevent the system from alerting users to the malware’s presence. Additionally, CXCLNT is capable of credential dumping, enabling attackers to extract stored passwords or authentication tokens from the victim’s environment. This data can then be leveraged for lateral movement across the network or to access further sensitive resources.

Anti-Analysis and Anti-Debugging Techniques

To evade detection and analysis, CXCLNT employs multiple anti-analysis techniques. It checks for the parent process by reading the entry point address, ensuring that the malware is not being executed in a debugging or analysis environment. Moreover, the malware hooks into the GetProcAddress API, which is commonly used in the Windows operating system to retrieve function addresses. This allows CXCLNT to alter the flow of execution and prevent security analysts from identifying its behavior through standard methods.

Another unique feature of CXCLNT’s persistence mechanism is its usage of “fiber” structures. Instead of using standard methods like CreateThread or _beginthread to initiate new threads, CXCLNT uses the ConvertThreadToFiber and CreateFiber APIs to create and manage fibers—lightweight, cooperative threads that are harder to detect. These fibers execute a junk code sequence before switching to the desired function, further obfuscating the malware’s true behavior.

Exfiltration and Command and Control

Once CXCLNT has successfully infiltrated the target environment, it begins to collect valuable information. This data includes system details such as the victim’s IP address, MAC address, computer name, product name, and architecture. The collected data is encrypted using custom XOR-based encryption and sent to a command-and-control (C&C) server over an application layer protocol like HTTP/S. The C&C server is responsible for issuing commands to the malware, and additional payloads may be delivered in response to these commands.

CXCLNT also communicates with its C&C server to receive further instructions and additional malicious modules, ensuring that it can remain flexible and adaptable. By receiving new payloads from the C&C server, CXCLNT can continue its operations, ranging from additional espionage to facilitating other malicious actions such as lateral movement and data exfiltration. The encrypted traffic used to send this information further obfuscates the malware’s activities, making it more difficult for security tools to detect and intercept the exfiltration.

Conclusion

CXCLNT is a highly advanced piece of malware capable of executing a wide range of activities that allow attackers to maintain control over compromised systems. Through its sophisticated execution flow, privilege escalation techniques, anti-analysis measures, and robust command-and-control infrastructure, CXCLNT can effectively infiltrate, persist, and exfiltrate sensitive data from its victims. Its modular architecture and use of custom encryption for communication make it a significant threat to organizations, particularly those involved in military and high-value industrial sectors. Understanding how CXCLNT operates on a technical level is crucial for developing effective defenses and mitigating the potential impact of such malware.

MITRE Tactics and Techniques

Initial Access (T1071 – Application Layer Protocol):

CXCLNT may leverage application layer protocols like HTTP/S to communicate with its command-and-control (C&C) server, facilitating initial access into the victim’s system.

Execution (T1203 – Exploitation for Client Execution):

The malware can be executed by exploiting vulnerabilities in remote desktop or ERP systems, typically using tools like UltraVNC to gain access to the target environment.

Persistence (T1543 – Create or Modify System Process):

CXCLNT achieves persistence by creating or modifying system services (e.g., ASProxys service), ensuring that the malware is executed each time the system is rebooted.

Privilege Escalation (T1075 – Pass the Hash):

The malware escalates privileges by using the “winsrv.exe” payload to extract tokens from Winlogon.exe, allowing it to gain higher-level privileges in the system.

Defense Evasion (T1070 – Indicator Removal on Host):

CXCLNT employs anti-analysis and anti-debugging techniques, such as checking for the parent process and hooking commonly used APIs, to avoid detection by security tools. It can also clear footprints, such as deleting specific files and services after execution.

Credential Dumping (T1003 – Credential Dumping):

During post-exploitation, CXCLNT can dump credentials from the target machine, aiding attackers in acquiring access to further systems or data.

Command and Control (T1071 – Application Layer Protocol):

The malware uses application layer protocols to communicate with the C&C server, enabling the threat actors to send commands and receive additional payloads or instructions.

Exfiltration (T1041 – Exfiltration Over Command and Control Channel):

CXCLNT can exfiltrate collected victim information, such as IP addresses, MAC addresses, and system details, over its communication channel with the C&C server.

Impact (T1486 – Data Encrypted for Impact):

While primarily used for espionage and persistent access, the malware may also facilitate actions like data encryption to disrupt operations or further hide its presence in a victim’s system.

References

• TIDRONE Targets Military and Satellite Industries in Taiwan