Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

XWorm: Analysis of Latest Version and Execution Flow

Oct. 3, 2024, 4:21 p.m.

Description

XWorm, a versatile tool discovered in 2022, enables attackers to access sensitive information, gain remote access, and deploy additional malware. The latest version's infection chain begins with a Windows Script File downloading a PowerShell script from paste.ee. This script creates multiple files, establishes persistence through a scheduled task, and notifies the attacker via Telegram. The malware employs evasive techniques, including reflective code loading of a DLL loader, which then injects XWorm into a legitimate process. New features include plugin removal and a network command reporting response time. The analysis covers the entire execution flow, from initial infection to the final payload execution, highlighting the sophisticated nature of this threat.

Date

Published: Oct. 3, 2024, 3:16 p.m.

Created: Oct. 3, 2024, 3:16 p.m.

Modified: Oct. 3, 2024, 4:21 p.m.

Indicators

f1bc5fa7bfa063b32dea6371cc309821201d6122e19b793776f128c42b93957b

92baa79ed1e8ccca07666968715b1d517c9e7340505112b41aadef1e7e433a1c

400ca77dc7a2b32428a47355c5388ab547ab7c696386c71f3d4abb2869ba66be

2c6c4cd045537e2586eab73072d790af362e37e6d4112b1d01f15574491296b8

182199ae3921c4458c39003a22deb07ea40ec3c4e67d8b3efab42698aab634ec

89.116.164.56

http://ziadonfire.work.gd:7000

ziadonfire.work.gd

Attack Patterns

Xworm

T1102.002

T1053.005

T1064

T1059.005

T1059.003

T1059.001

T1095

T1055

T1140

T1027