XRed

According to eSentire, XRed, also known as Synaptics worm, is a backdoor that has been circulating since at least 2019. This malware was initially spread through drivers bundled with USB-C hub adapters, which served as its primary distribution vector. Once executed, the backdoor self-replicates and to maintain persistence, it creates a Windows Registry Run key. Additionally, it uses a mutex named Synaptics2X to ensure that only one instance of the malware runs at a time. XRed includes several advanced features that enable remote control and data exfiltration. It can download additional payloads from hardcoded URLs embedded within its binary. The malware exfiltrates sensitive system information—such as the MAC address, username, and computer name—which is sent via SMTP to hardcoded email addresses. It also incorporates keylogging functionality through keyboard hooking techniques. Furthermore, XRed supports a variety of remote commands that allow the attacker to gain command prompt access, capture screenshots, list available disks and directories, download files from remote sources, and delete files from the infected system. XRed also exhibits worm-like behavior: It spreads through USB drives by creating an autorun.inf file. Additionally, the malware infects Excel files with macros (.xlsm) by injecting a malicious VBA macro into them. The malware uses a hardcoded dynamic DNS domain (xred.mooo.com) to communicate with its command and control server. This domain serves as an identifying feature of the malware. According to researchers at eSentire, linguistic evidence found in the malware's code suggests that the developer is a native Turkish speaker.