X-FILES Infostealer: Unraveling a Potent Threat to Global Cybersecurity

Introduction

In the dynamic world of cyber threats, the X-FILES stealer has emerged as a particularly dangerous and sophisticated piece of malware. First discovered in March 2021, this malware gained significant attention after a second variant surfaced later that year. Known for its efficiency in targeting vulnerable systems globally, X-FILES has become a top priority for cybersecurity professionals.

Origins and Evolution

The X-FILES stealer was first identified on a darknet forum in March 2021. Its origin traces back to phishing domains hosted on Russian IPs, with even its Command and Control (C2) panel being hosted on Russian infrastructure. This geographical linkage hints at a sophisticated threat actor, possibly state-sponsored or operating with tacit approval from local authorities.

Posted on dakweb forum on March 2021

What is X-FILES Stealer?

X-FILES is a stealer malware written in the C programming language, designed to infiltrate machines running Windows 7 through Windows 11. It has been actively advertised on dark web forums, where cybercriminals exchange updates and training manuals on its deployment.

System Information collected by the latest variant

The primary objective of X-FILES is to exfiltrate sensitive information from infected systems, including browser data, cookies, passwords, autofill data, credit card information, and even cryptocurrency wallet details.

Stealer's working directory on the host

It includes a customizable logging system with detailed data on each log, notifications through Telegram, and automated updates to keep the tool current with the latest evasion techniques. Security features like GEO-blocking for CIS countries and regular stub cleaning ensure low detection rates, while upcoming features such as VNC configuration collection and automated password decryption signal continuous development, making it a potent threat for organizations.

Key Features and Capabilities and Builder

X-FILES stealer is known for its wide-reaching capabilities, which include support for a diverse array of browsers and over 80 browser-based crypto wallets. The stealer is equipped to collect data from various messengers, encrypt files using its own framework, and execute complex exfiltration processes. Additionally, X-FILES-specific training manuals are available, which further empower cybercriminals to exploit this malware to its full potential.

The files are stored locally in newly-created directories and eventually exfiltrated via Telegram, taking advantage of the anonymity in the communications platform.

Builder image 1

Builder image 2

The malware operates stealthily, avoiding detection while collecting and transmitting critical information back to its operators. Its ability to run on a wide range of Windows versions makes it a versatile tool for cybercriminals.

Pricing and Support:

XFiles Stealer offers a subscription model priced at $200 per month. This subscription provides access to an extensive set of features, including a sophisticated control panel, team management functionalities, and customizable settings for log recording, notifications, and more. The pricing is designed to attract serious users who are looking for a premium stealer with high-level capabilities.

Screenshot shows Pricing and Support

Support Services:

The XFiles Stealer team provides 24/7 customer support through multiple channels, including Telegram, Jabber, TOX, and private messaging on the forum. The support team is highly responsive, assisting users with setup, configuration, and troubleshooting, ensuring smooth operation and satisfaction. Moreover, exclusive training manuals are provided, guiding users on how to profit from the stealer effectively. If a user is unable to achieve the desired results, a refund is offered, reflecting the team’s confidence in

XFiles Malware Enhances Delivery with Follina Exploit

XFiles info-stealing malware now supports Follina delivery, a vulnerability that was first discovered as a zero-day at the end of May and patched by Microsoft on June 14. The attack involves a malicious Word document received through spam email, which contains an OLE object linking to an HTML file with JavaScript code that exploits Follina.

This code retrieves a base64-encoded string with PowerShell commands to establish persistence in the Windows startup directory and execute the malware. The second-stage module, named “ChimLacUpdate.exe,” includes a hardcoded encrypted shellcode and AES decryption key, which is decrypted and executed within the same process. Following infection, XFiles performs typical info-stealer activities.

The resulting shellcode

This code is a typical example of how an attacker might load and execute shellcode within a process. The shellcode is first decrypted using an AES key, allocated in memory, and then executed using the ShellcodeDelegate.

The resulting shellcode

This type of code is often found in malware, where the shellcode performs malicious activities such as spawning a reverse shell or downloading additional payloads.

AES Key and Base String & Decryption and Memory Handling

The provided code snippet is related to decrypting an AES-encrypted string using a specific key. The aes_base is a Base64-encoded string representing the encrypted data, while key is the string used as the decryption key. The decryption is performed by a Decrypt function, which returns a byte array containing the decrypted data.

Detailedof the shellcode

The code also includes memory handling with the fixed statement to pin the location of the byte array in memory, preventing the garbage collector from moving it during operations. This is particularly useful for low-level operations or when working with unmanaged code.

Command and Control Domains

The X-FILES stealer utilizes specific domains for its Command and Control (C2) operations. These domains are critical for the malware's operation, serving as the communication hub between the infected machines and the attackers. The following domains have been identified as part of the X-FILES infrastructure:

These domains play a crucial role in maintaining the malware's functionality, allowing attackers to manage their operations remotely and execute commands on infected systems.

Telegram Integration and Support Channels

XFiles Reborn is an information stealer known for its robust support infrastructure, primarily operating through Telegram. The developers behind XFiles Reborn maintain several Telegram channels and bots to ensure seamless support and communication with their customers. The available channels include:

Subscription Plans XFiles Reborn offers flexible subscription plans tailored to different needs. The current pricing structure includes:

These plans provide customers with access to the XFiles Reborn stealer, including support and updates.

XFiles Reborn Panel

The XFiles Reborn group strongly recommends using Telegram as the primary panel for gathering information from the stealers. This integration allows for easy access and management through the Telegram platform.

XFiles Reborn operation main page

However, for those who prefer a more traditional approach, XFiles Reborn also offers the option to create a “classic” panel on a Command and Control (C2) server provided by the seller. This flexibility ensures that users can choose the method that best suits their operational needs.

How to detect X-FILES?

To detect the X-FILES stealer, organizations should monitor for indicators of compromise (IOCs) such as unusual outbound traffic to known Command and Control (C2) domains, suspicious use of PowerShell commands, and the presence of encryption routines targeting browser and cryptocurrency wallet data. Additionally, keeping an eye on anomalous activity linked to phishing campaigns and using advanced threat detection tools to scan for the malware's specific hash values (MD5, SHA-1, SHA-256) can help identify infected systems before significant damage occurs.

Malware Families and ATT&CK Techniques

X-FILES stealer is associated with several malware families and employs various ATT&CK techniques to achieve its goals. The primary malware families include FILES, Regex, XmlReader, and Oldest.

These families contribute to the stealer's ability to collect and exfiltrate data while evading detection.

The malware also leverages multiple MITRE ATT&CK techniques, including:

Indicators of Compromise (IOCs)

To help detect and mitigate the threat posed by X-FILES stealer, security teams should be on the lookout for the following Indicators of Compromise (IOCs):

These IOCs are critical for identifying systems that may have been compromised by the X-FILES stealer and should be integrated into your organization's threat detection mechanisms.

Expanding Threat Landscape

Enhancing Prevention and Mitigation

Additional Considerations

By incorporating these suggestions, you can create an even more informative and valuable resource for understanding and combating the X-FILES stealer.

Conclusion

The X-FILES stealer is a formidable threat that continues to evolve, posing significant risks to organizations and individuals alike. As it targets sensitive information such as browser credentials, crypto wallets, FTP credentials, and credit card data, it is essential for security professionals to stay vigilant and implement robust security measures to protect against this malware.

At Foresiet Researchers, we are committed to staying ahead of emerging threats like X-FILES. Our team of experts continuously monitors the dark web and other threat vectors to provide our clients with the intelligence they need to safeguard their digital assets.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.