How XShell Became a Backdoor: Deep Dive into Its Malicious Shellcode

Background

Recently, the XShell remote terminal tool was found to contain malicious code. The vendor issued an advisory urging users to download the latest version, and Tencent Security Lab performed a detailed analysis of the backdoored XShell.

Technical Analysis

Overview

The entire malicious workflow is illustrated in the diagram below.

The attack consists of three stages. In the first stage, a patched XShell binary executes malicious shellcode1, which decrypts and runs shellcode2. In the second stage, shellcode2 checks a registry entry; if the Data key is absent, it collects user information and exfiltrates it via a dynamically generated DGA domain, then writes configuration data back to the registry. In the third stage, if the Data key exists, shellcode3 is decrypted and executed, creating a svchost process and stealing host information.

XShell Startup

When Xshell.exe starts, it loads its nssock2.dll. In the function sub_1000c6c0, it calls VirtualAlloc to allocate memory, decrypts data into that memory, and then executes it.

Shellcode2

After shellcode1 decrypts shellcode2, the latter dynamically loads system functions and calls CoCreateGuid to generate a GUID used later for reporting.

Shellcode2 then creates a registry key under HKEY_LOCAL_MACHINE\SOFTWARE\6094805 (the numeric path is randomly generated). It checks whether a Data value exists to decide the next steps.

If the Data value is missing, the malware reports data using a DGA algorithm that generates a random domain each month.

It gathers the computer name and user name via getNetWorkParam and getUserName, concatenates them with the GUID and a flag, forming a 45‑character payload that is encrypted to 90 characters.

The long domain is then sent to a public DNS resolver, which forwards the encoded host information to the attacker’s server.

Subsequently, the malware calls recvfrom to receive data from the server, writes the received data into the previously created registry Data value under HKEY_CURRENT_USER\SOFTWARE\6094805.

Shellcode3

When the Data value exists, shellcode3 is decrypted using the previously obtained key1 and key2, then executed. It creates a log file at C:\ProgramData\CCGQWCSHACMOQORUAAAYKK and writes collected data.

Finally, it spawns a fake svchost.exe process, injects the malicious code, and runs it.

Indicators of Compromise (IOC)

The monthly DGA algorithm generates the following domains:

ribotqtonut.com (July 2017) nylalobghyhirgh.com (August 2017) jkvmdmjyfcvkf.com (September 2017) bafyvoruzgjitwr.com (October 2017) xmponmzmxkxkh.com (November 2017) tczafklirkl.com (December 2017)

SHA‑256 hashes of the malicious binaries:

462a02a8094e833fd456baf0a6d4e18bb7dab1a9f74d5f163a8334921a4ffde8 696be784c67896b9239a8af0a167add72b1becd3ef98d03e99207a3d5734f6eb 536d7e3bd1c9e1c2fd8438ab75d6c29c921974560b47c71686714d12fb8e9882 c45116a22cf5695b618fcdf1002619e8544ba015d06b2e1dbf47982600c7545f 515d3110498d7b4fdb451ed60bb11cd6835fcff4780cb2b982ffd2740e1347a0

Remediation Recommendations

1. NetSarang has issued an advisory; affected users should upgrade to the latest version immediately. 2. Administrators should monitor DNS queries for the listed malicious domains and investigate any occurrences. 3. Infected machines should be cleaned, and passwords for compromised servers should be changed promptly.