Take a Product Tour Request a Demo Cybersecurity Assessment Contact Us

Blogs

The latest cybersecurity trends, best practices, security vulnerabilities, and more

XWorm’s Evolving Infection Chain: From Predictable to Deceptive

The XWorm malware infection chain has evolved to include additional techniques beyond traditional email-based attacks. While email and .lnk files remain common initial access vectors, XWorm now also leverages legitimate-looking .exe filenames to disguise itself as harmless applications, exploiting user and system trust. This marks a shift towards combining social engineering with technical attack vectors for greater effectiveness.

A stealthy .lnk file, commonly spread via phishing emails, initiates a complex infection. Executing the .lnk triggers malicious PowerShell commands that drop a ‘.txt’ file and download a deceptive 'discord.exe'. 'discord.exe' then drops 'main.exe' and 'system32.exe', with the latter being the XWorm malware payload. This multi-stage deployment, employing misdirection, aims for deep system entrenchment and evasion.

Infection chain

Figure 1: Infection chain
Figure 1: Infection chain

Technical analysis

.lnk file

Executing the .lnk file initiates a malicious PowerShell script that runs a hidden command. Initially, it drops a text file to the \Temp\ directory named `payload.txt` containing the text “domethelegandary-ontop hackingtest f**ked”. Following this, it connects to `(hxxp://85[.]203[.]4[.]232:5000/Discord.exe)`, downloads the `discord.exe` file to the Temp\ directory, starts the executable, and then Powershell exits.

Figure 2: The content in the .lnk file is base64 encoded
Figure 2: The content in the .lnk file is base64 encoded

Figure 3: Readable content after decoding.
Figure 3: Readable content after decoding.

Discord.exe

The second phase of the attack involves the execution of a malicious `.net` executable named `Discord.exe`. This file, disguised with a legitimate Discord application icon, utilizes sophisticated packing techniques to evade detection. Upon execution, the deceptive `discord.exe` drops two additional malicious files, `main.exe` and `system32.exe`, into the compromised system's directories as below.

Figure 4: Process tree
Figure 4: Process tree

Immediately following their creation, `discord.exe` proceeds to launch both `main.exe` and `system32.exe`, unleashing their respective payloads. A critical observation in this attack chain is the deliberate naming of one of the dropped executables as `system32.exe`, a name that directly imitates a legitimate and vital Windows operating system file. This tactic is likely employed to blend in with legitimate system processes, making it harder for users to distinguish it as a threat. The heavy packing of the initial executable, combined with the dropping of identically named system files, indicates a well-planned attempt at stealth and persistence within the victim's environment.

Figure 5: Function to write the data and run the process
Figure 5: Function to write the data and run the process

Main.exe

The next stage involves a heavily packed executable ‘main.exe’. Its large resource section is often utilized to store embedded malicious components. Upon execution, the file drops a collection of subsidiary files. This includes several `.pyd` (Python Dynamic Module) files, which are typically used to extend Python functionality, and a crucial component named `main.dll`.

Figure 6: Raw size of .rsrc
Figure 6: Raw size of .rsrc

Figure 7: Content .rsrc
Figure 7: Content .rsrc

A key objective of the .exe is to disable the Windows Firewall and also check for the presence of third-party security applications, indicating a clear intent to remove obstacles for subsequent malicious activities and to evade detection. This persistence mechanism ensures the firewall remains disabled across system reboots, leaving the system vulnerable.

Figure 8: Files dropped on main.exe execution
Figure 8: Files dropped on main.exe execution

The malware achieves firewall disablement by creating a specific registry entry at "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DisableFirewall".

Figure 9: Dialog opened on execution 'main.exe'
Figure 9: Dialog opened on execution ‘main.exe’

Then `main.exe` also attempts to execute the `run_code` function within `main.dll`. This `main.dll` is notable for two reasons: it possesses only a single export function, `run_code`, and it incorporates two TLS (Thread Local Storage) callbacks. These callbacks enable code execution very early in the process's lifecycle, prior to the main entry point, which complicates both analysis and detection. Further investigation indicates that `main.dll` was compiled using the Nuitka Python compiler.

Nuitka's conversion of Python code into standalone executables or extension modules can hinder attempts to reverse engineer the original Python logic.

Figure 10: Dll load referring strings
Figure 10: Dll load referring strings

System32.exe (XWorm)

The .NET executable pauses upon initiation, a tactic to evade security detection or ensure system stability.

  1. It then checks for virtual environments (e.g., security sandboxes).
  2. If a virtualized environment is detected, the executable self-terminates using a ".failfast" mechanism to prevent analysis.
  3. If a non-virtualized environment is detected, it proceeds with malicious activities.
  4. It creates a duplicate of itself, named "Xclient.exe," which becomes the primary operational entity for persistence.

Powershell

The executable uses PowerShell commands to compromise host security.

  1. It adds its path and process to exclusion lists using `ExecutionPolicy Bypass Add-MpPreference -ExclusionPath` and `ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess`.
  2. `ExecutionPolicy Bypass` is vital for bypassing PowerShell's default security, allowing unsigned or untrusted scripts to run.
  3. This attempts to circumvent real-time monitoring and scanning by antivirus and endpoint protection, allowing the malware to operate undetected.
Figure 11: Powershell commands
Figure 11: Powershell commands

Scheduled tasks

The XWorm executable creates a scheduled task called "XClient" to maintain its presence and continuous operation.

  1. This task is set to run every minute to ensure persistence through reboots or termination attempts.
  2. The command used is `\"C:\\Windows\\System32\\schtasks.exe\" /create /f /RL HIGHEST /sc minute /mo 1 /tn \"XClient\" /tr`.
Figure 12: Scheduled tasks
Figure 12: Scheduled tasks

Persistence

The executable adds an entry to the Windows Registry for automatic execution upon system startup.

  1. The entry is located at `HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\XClient`.
Figure 13: Registry entry
Figure 13: Registry entry

Sophisticated interplay of cryptography

The malware uses the Rijndael cipher block to build a strong decryptor.

  1. Rijndael is a secure symmetric-key algorithm, indicating the attackers intent to protect operational data.
  2. The malware combines Base64 decoding with Rijndael decryption for complexity and concealment.
  3. Base64 encoding, used for representing binary data as ASCII strings, suggests a multi-layered data concealment strategy.
  4. Base64-encoded strings are fed into the Rijndael decryptor for final decryption.
Figure 14: Decryption of C2
Figure 14: Decryption of C2

Figure 15: Decryption of strings Xclient.exe
Figure 15: Decryption of strings Xclient.exe

This two-stage decoding is key to uncovering critical, sensitive operational data that drives the malware. This includes crucial Command and Control (C2) data—such as IP addresses, domain names, and server port numbers—which enables the attacker to communicate with and control compromised systems, receive instructions, exfiltrate data, or download more malicious modules.

Figure 16: Decryption of strings, <XWormmm>
Figure 16: Decryption of strings,<XWormmm>

The decryption process, using Rijndael and Base64, uncovers vital malware strings beyond C2 information. These strings contain configuration data, internal commands, and identifiers crucial for the operation of the malware, such as its replacement name for evasion and its intrinsic name for tracking or identification within a malware family. This dual decoding method is key to securing and delivering the malware's core intelligence..

Evading analysis

The malware creates a mutex named "1JJyHGXN8Jb9yEZG". This crucial step serves as a self-preservation mechanism, ensuring that only a single instance of the malicious payload can execute on the compromised system at any given time, thereby preventing potential conflicts or detection by duplicate processes.

Figure 17:  Virtual environment check
Figure 17: Virtual environment check

Once this foundational control is established, the malware proceeds to meticulously gather reconnaissance on its host environment. It systematically queries the computer system to acquire a comprehensive profile of the machine, specifically targeting information such as the computer name, the manufacturer of the system, and the specific model. This data extraction is accomplished through the strategic use of ".lateindexget" calls, a technique often employed to access system properties and configuration details.

Following this information-gathering phase, the malware incorporates a critical anti-analysis and anti-evasion mechanism. It performs a rigorous check to ascertain the presence of a virtualized environment. This check is designed to detect popular virtualization platforms such as VMware or VirtualBox. The rationale behind this check is rooted in the common practice of security researchers and analysts utilizing virtual machines to safely observe and analyze malware behavior without risking their primary systems. Should the malware detect the tell-tale signs of a virtualized environment, it will immediately cease its execution.

Backdoor commands

The malware also has backdoor functionality with various commands that can be initiated through a C2 server as shown below, commands include actions such as shutting down or restarting the system, downloading files, opening URLs, initiating DDoS attacks, and more. This sophisticated malware offers extensive backdoor capabilities, allowing attackers to execute various remote commands from its C2 server. These functions include initiating system shutdowns/restarts, downloading arbitrary files for additional payloads or data exfiltration, opening URLs to redirect to malicious websites, and launching DDoS attacks, transforming compromised machines into botnet nodes.

Figure 18: Backdoor commands
Figure 18: Backdoor commands

Conclusion

XWorm previously relied on predictable deployment methods; however, it has since shifted to more deceptive tactics. While the initial stage still involves a .lnk(shortcut file), subsequent deliveries have drastically changed. XWorm now directly drops executable files, bypassing the .bat(batch scripts), .vbs(vb scripts), or .hta(HTML application) stages. These executables are further disguised with legitimate file names and icons, significantly increasing the effectiveness of delivery.

This rapid evolution of XWorm within the threat landscape, and its current prevalence, highlights the critical importance of robust security measures to combat ever-changing threats.

Trellix actively combats XWorm and evolving threats through a multi-layered security portfolio. Trellix’s Endpoint Security products (ENS and HX) provide specific detections against XWorm variants, Trellix's Network Security, VX, Cloud MVX, Malware Analysis, Email Security, Detection As A Service, and NX products offer broader protection, detecting various loaders, Trojans, and specifically "Backdoor.XWorm." Trellix EDR adds a crucial layer by detecting suspicious process execution, persistence mechanisms (like startup/logon files and scheduled tasks), and obfuscated command execution, demonstrating a comprehensive approach to detect and mitigate the sophisticated techniques and tactics used by XWorm and its related evolving threats.


Mitre Tactics And Techniques


Tactics

  1. Initial access
  2. Execution
  3. Persistence
  4. Command and control
  5. Defense evasion


Techniques

  1. Indicator removal: File deletion
  2. Scheduled task/job: Scheduled task
  3. User Execution: Malicious File
  4. Command and Scripting Interpreter: Powershell
  5. Obfuscated Files or Information
  6. Impair Defenses: Disable or Modify Tools

Trellix product coverage


Endpoint security(ENS) Trojan-JACI!C2F66498298C
Trojan-JAFX!4E98E45377FB
Trojan-JAGB!CB3241FF094B
Trojan-JAFY!7C1129AF104A
Trojan-FVYT!72EB8C4FFD6D
Endpoint security(HX) Generic.mg.cb3241ff094bb129
Generic.mg.4e98e45377fbf139
Generic.mg.72eb8c4ffd6d5f72
Heur.BZC.YAX.Boxter.836.842D8D8F
Heur.BZC.PZQ.Boxter.836.E7349B95
Trellix Network Security
Trellix VX
Trellix Cloud MVX
Trellix Malware Analysis
Trellix Email Security
Trellix Detection As A Service
Trellix NX
FE_Loader_MSIL_Generic_184
FE_Trojan_MSIL_Generic_189
FEC_Trojan_LNK_Generic_14
Trojan.IPCheck.DCRat
Backdoor.XWorm
Trellix EDR Suspicious Process Execution (File Creation + Autorun entry + Launches interpreter) [T1059 T1547.001]
Suspicious process established persistence via Startup/Logon file [T1547.001, T1547.009, T1037.001, T1204.002]
Executed Obfuscated PowerShell Base64String command [T1059.001 T1027 T1140]
File copied to Windows Startup folder [T1547.001 T1547.009]
Created Scheduled Task via Schtasks.exe [T1053.005]

Indicators of compromise


MD5 Filenames
c2f66498298c1af28da64eb5392a4a6e .lnk file
4e98e45377fbf1390676ca36dbef0b85 Discord.exe
cb3241ff094bb1292dc7841148a7431e main.exe
7c1129af104acf9cc4c0793077e9c5df main.dll
72eb8c4ffd6d5f721ed3ee121264b53f System32.exe

C2 server and Trellix coverage


C2 server IP Trellix coverage
85[.]203[.]4[.]232 High risk -Malicous sites -Malicous downloads

Get the latest

Stay up to date with the latest cybersecurity trends, best practices, security vulnerabilities, and so much more.
Please enter a valid email address.

Zero spam. Unsubscribe at any time.