XWorm: Analysis of Latest Version and Execution Flow
Oct. 3, 2024, 4:21 p.m.
Tags
External References
Description
XWorm, a versatile tool discovered in 2022, enables attackers to access sensitive information, gain remote access, and deploy additional malware. The latest version's infection chain begins with a Windows Script File downloading a PowerShell script from paste.ee. This script creates multiple files, establishes persistence through a scheduled task, and notifies the attacker via Telegram. The malware employs evasive techniques, including reflective code loading of a DLL loader, which then injects XWorm into a legitimate process. New features include plugin removal and a network command reporting response time. The analysis covers the entire execution flow, from initial infection to the final payload execution, highlighting the sophisticated nature of this threat.
Date
Published: Oct. 3, 2024, 3:16 p.m.
Created: Oct. 3, 2024, 3:16 p.m.
Modified: Oct. 3, 2024, 4:21 p.m.
Indicators
f1bc5fa7bfa063b32dea6371cc309821201d6122e19b793776f128c42b93957b
92baa79ed1e8ccca07666968715b1d517c9e7340505112b41aadef1e7e433a1c
400ca77dc7a2b32428a47355c5388ab547ab7c696386c71f3d4abb2869ba66be
2c6c4cd045537e2586eab73072d790af362e37e6d4112b1d01f15574491296b8
182199ae3921c4458c39003a22deb07ea40ec3c4e67d8b3efab42698aab634ec
89.116.164.56
http://ziadonfire.work.gd:7000
ziadonfire.work.gd
Attack Patterns
Xworm
T1102.002
T1053.005
T1064
T1059.005
T1059.003
T1059.001
T1095
T1055
T1140
T1027