Posted: May 11, 2020

XsFunction Description

XsFunction is a Windows backdoor Trojan that lets attackers control your PC through various commands and file operations. Although it's believed that Aria-body is now replacing it for similar purposes, it remains a danger to infected systems and associated networks. Users can have their anti-malware products remove XsFunction on sight and should stay attentive to potential phishing attacks, particularly, over e-mail.

Undertaking Spying with Countless Commands

Watching a Trojan's transition is educational, both for the code and the display of priorities. Comparisons between XsFunction and the newer Aria-body, for instance, show how the responsible threat actor is maintaining a desire for near-absolute remote control over infected PCs while also not risking detection any more than necessary. It's believed that Aria-body functions as a replacement or update of the XsFunction backdoor Trojan, but little is different about the attacks they provide, surprisingly.

Both Trojans are customized, in-house tools for the Naikon APT, an Asia-focused hacking group that's most well-known for compromising the systems of governmental members of APAC. Embassies and other entities at-risk include those from the nations of Australia, Vietnam, Brunei, and Indonesia, among others. Usually, the infection strategy involves the victim's receiving a corrupted e-mail with a corrupted attachment that, after opening, drops a Trojan downloader. This loading component retrieves XsFunction or Aria-body from a remote server and installs it.

XsFunction is a long-term surveillance and control tool, offering features such as:

  • Uploading collected files or downloading new threats for installation
  • Executing indiscriminate shell commands
  • Performing operations related to file management (deletion, opening, renaming, moving, etc.) or launching, monitoring and terminating processes

Furthermore, it can increase its functionality with specialized modules for more particular functions related to data exfiltration, propagation, etc.

Minimizing the Intelligence-Gathering of Software Spies

Like Aria-body, XsFunction gives the Naikon APT a utility for maintaining control over a system for months and, potentially, even converting it into an impromptu C&C server. Of note is its use of already-compromised PCs and accounts for sending phishing tactics that propagate its Trojans to related targets, which lends believable identity credentials to its attack. Malware researchers also can confirm numerous internal signs of XsFunction's being a less-evolved form of Aria-body, including identical debugging elements, hashes, raw function code and C&C infrastructure.

Users can assume that XsFunction infections will, typically, hijack other programs' processes via side-loading and similar exploits for avoiding detection in the Windows Task Manager. The Naikon APT also uses multiple means of obfuscating its threats, and recent campaigns are notable for dodging the cyber-security industry's automated threat-detecting solutions for years at a time. Just as always, preventing infections involves monitoring links, e-mail-attached documents, and 'risky' content like macros and scripts, even if they have content that's highly-specific to the recipient employee's workplace.

XsFunction is an older backdoor Trojan in comparison to Aria-body. Updated anti-malware solutions should flag and remove XsFunction properly, as well as the Trojan downloaders that usually are responsible for installing it.

The operating procedure for XsFunction's admins involves more than just spying on a target but turning that target's hardware into a resource and staging ground for even more attacks. With that in mind, victims should react to possible XsFunction attacks as soon as possible for preventing a single breach of security from getting out of hand rapidly.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to XsFunction may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.