X-Tunnel is roughly based on XTunnel PortMap.
One of the malware variants used to infiltrate and hack the Democratic National Committee (DNC) back in April 2016 is based on a piece of open source networking utility developed by a Chinese company in the early 2000s.
The malware, codenamed X-Tunnel, is part of the arsenal used by the Fancy Bear APT (also known as Sofacy, APT28, Sednit, Pawn Storm, or Strontium).
Security firm CrowdStrike, who first investigated the DNC hack, says that this group hacked into the DNC servers in April 2016, after another APT called Cozy Bear infiltrated the same servers in the summer of 2015.
X-Tunnel used to safely steal the data without detection
CrowdStrike said Fancy Bear hackers used malware such as X-Agent to penetrate and gather data from the system, and then used X-Tunnel to siphon the stolen goods without getting detected.
The incident has sparked an international scandal because of its official attribution to the Russian government, leaks by a hacker known as Guccifer, and comments made by Donald Trump.
Because of this, CrowdStrike has released the malware found on the DNC servers to the world, so other companies can confirm its findings, which happened pretty quick thanks to a report from Fidelis Cybersecurity.
Now Invincea is releasing its own report, but staying clear away from any “Russian attribution” statements. Their report focuses on X-Tunnel, the malware used to steal the data from the DNC servers.
X-Tunnel could be used as a RAT if Fancy Bear wanted
The company’s malware expert, Pat Belcher, says that this is a one-of-a-kind malware variant that appears to be custom built and used only in limited, targeted attacks, not sharing any similarities with other malware families.
The malware has many capabilities that would allow it to be used as a RAT, a remote access trojan, but it appears that it’s role was to help the crooks steal data from compromised systems.
RAT features discovered inside X-Tunnel’s measly 2MB file include the ability to open SSH connections, encrypt traffic using SSL, access LDAP servers, read/write from Windows Console, compress/decompress data, steal passwords, download/upload files, capture mouse movements, use proxies, modify Windows services, and many other more.
Nevertheless, the vast majority of features found by Invincea’s analysis show a tool designed for data exfiltration above more.
X-Tunnel is based on an open-source network tunneling protocol
Belcher claims that the name X-Tunnel, given to this tool, is not a coincidence. The malware seems to be a rough modification of the XTunnel PortMap open source project by Xten, a Chinese company.
This application was developed on XTunnel, a protocol used in the early days of softphones and VoIP communications, and was used to open connections from firewalled networks to IPs on the outside of the network without having to request system administrators to open special ports.
The XTunnel protocol would probe the firewall on its own, searching for open ports, and use the first port it found to open a connection.
Development on the protocol stopped when Xten was acquired by another company, who closed-source the project, taking it out of the hands of the open-source community.
“The Fancy Bear threat actors used, by today’s standards, a very old, but still reliable network module used for softphone and video and VoIP capabilities to maintain a fully encrypted, end-to-end Remote Access Trojan (RAT),” Belcher explains.
“Previous reports from Crowdstrike and others note that the XTunnel tool was used to maintain network connectivity. Whether the XTunnel tool was used for additional purposes as its capabilities suggest is unknown, but it had the potential to support a full range of additional activity,” Belcher also added, reconfirming X-Tunnel’s additional RAT features.