XWorm: Analyzing New Infection Tactics With Old Payload

Tags

External References

• https://www.seqrite.com/
• https://otx.alienvault.com/

Description

A recent malware campaign utilizes a multi-stage infection chain starting with a LNK file that lures victims into opening an invoice in a web browser. The attack involves PowerShell commands, batch files, and Python scripts to download and execute the XWorm payload. The infection process includes downloading a ZIP file containing Python setup files and scripts, with a malicious script responsible for decrypting and injecting shellcode. The XWorm variant employed is an older version that includes an Xlogger module for tracking user activities. The malware's capabilities include shellcode injection and keylogging, enabling the theft of sensitive information and exfiltration to a remote server.

Date