XsFunction

XsFunction is a Windows backdoor Trojan that lets attackers control your PC through various commands and file operations. Although it's believed that Aria-body is now replacing it for similar purposes, it remains a danger to infected systems and associated networks. Users can have their anti-malware products remove XsFunction on sight and should stay attentive to potential phishing attacks, particularly, over e-mail.

Undertaking Spying with Countless Commands

Watching a Trojan's transition is educational, both for the code and the display of priorities. Comparisons between XsFunction and the newer Aria-body, for instance, show how the responsible threat actor is maintaining a desire for near-absolute remote control over infected PCs while also not risking detection any more than necessary. It's believed that Aria-body functions as a replacement or update of the XsFunction backdoor Trojan, but little is different about the attacks they provide, surprisingly.

Both Trojans are customized, in-house tools for the Naikon APT, an Asia-focused hacking group that's most well-known for compromising the systems of governmental members of APAC. Embassies and other entities at-risk include those from the nations of Australia, Vietnam, Brunei, and Indonesia, among others. Usually, the infection strategy involves the victim's receiving a corrupted e-mail with a corrupted attachment that, after opening, drops a Trojan downloader. This loading component retrieves XsFunction or Aria-body from a remote server and installs it.

XsFunction is a long-term surveillance and control tool, offering features such as:

• Uploading collected files or downloading new threats for installation
• Executing indiscriminate shell commands
• Performing operations related to file management (deletion, opening, renaming, moving, etc.) or launching, monitoring and terminating processes

Furthermore, it can increase its functionality with specialized modules for more particular functions related to data exfiltration, propagation, etc.

Minimizing the Intelligence-Gathering of Software Spies

Like Aria-body, XsFunction gives the Naikon APT a utility for maintaining control over a system for months and, potentially, even converting it into an impromptu C&C server. Of note is its use of already-compromised PCs and accounts for sending phishing tactics that propagate its Trojans to related targets, which lends believable identity credentials to its attack. Malware researchers also can confirm numerous internal signs of XsFunction's being a less-evolved form of Aria-body, including identical debugging elements, hashes, raw function code and C&C infrastructure.

Users can assume that XsFunction infections will, typically, hijack other programs' processes via side-loading and similar exploits for avoiding detection in the Windows Task Manager. The Naikon APT also uses multiple means of obfuscating its threats, and recent campaigns are notable for dodging the cyber-security industry's automated threat-detecting solutions for years at a time. Just as always, preventing infections involves monitoring links, e-mail-attached documents, and 'risky' content like macros and scripts, even if they have content that's highly-specific to the recipient employee's workplace.

XsFunction is an older backdoor Trojan in comparison to Aria-body. Updated anti-malware solutions should flag and remove XsFunction properly, as well as the Trojan downloaders that usually are responsible for installing it.

The operating procedure for XsFunction's admins involves more than just spying on a target but turning that target's hardware into a resource and staging ground for even more attacks. With that in mind, victims should react to possible XsFunction attacks as soon as possible for preventing a single breach of security from getting out of hand rapidly.