XWorm RAT Deploys New Stagers and Loaders to Bypass Defenses

The XWorm Remote Access Trojan (RAT), a persistent player in the cybercriminal landscape, has recently undergone a notable transformation in its attack strategies. This evolution is marked by the incorporation of advanced stagers and loaders, enabling it to evade detection while effectively infiltrating targeted systems.

Renowned for its extensive malicious capabilities—ranging from keylogging and remote desktop access to data exfiltration and command execution—XWorm has emerged as a versatile instrument in the toolkit of threat actors, particularly those focusing on sectors such as the software supply chain and gaming industry.

Evolving Tactics in Cybercriminal Toolkits

The developers behind XWorm are committed to continuous updates, enhancing the malware’s adaptability and presenting an ongoing challenge for cybersecurity defenses.

In a recent campaign, attackers have strategically paired XWorm with AsyncRAT as initial-stage malware, establishing footholds within victim environments before deploying ransomware payloads crafted using the leaked LockBit Black builder. This tactic reveals striking similarities with the notorious LockBit ransomware group.

What sets XWorm apart from traditional malware is its dynamic approach to payload delivery. The latest iterations utilize a variety of file formats and scripting languages—including PowerShell, VBS, .NET executables, JavaScript, batch scripts, and even Office macros—to deliver malicious content. This diverse range is often disseminated through phishing campaigns, utilizing email attachments or embedded lure documents, with file types such as ZIP archives and .hta or .lnk files designed to circumvent endpoint security and sandboxing measures.

Dynamic Delivery Mechanisms

Analysis conducted by the Splunk Threat Research Team (STRT) on over 1,000 samples from Malware Bazaar has identified common phishing lures that mimic urgent business communications, such as invoices and shipping notifications, to deceive users into executing malicious files.

Beyond gaining initial access, XWorm employs sophisticated obfuscation techniques in its stagers and loaders. It utilizes Base64 encoding and AES encryption to mask its functionality while manipulating Windows security features like AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows) to suppress detection and logging.

These tactics, coupled with persistence mechanisms such as registry run keys, scheduled tasks, and shortcuts in startup folders, ensure sustained access and potential privilege escalation within compromised systems.

XWorm’s payload further exemplifies its sophistication by conducting detailed system reconnaissance, querying Windows Management Instrumentation (WMI) for antivirus software, GPU details, and video capture drivers. It also attempts to disable Microsoft Defender through exclusion settings.

The malware’s ability to propagate via removable media and execute backdoor commands from command-and-control (C2) servers, along with employing process injection and DLL side-loading techniques, significantly amplifies its threat profile.

In response to this evolving threat, STRT has developed a suite of Splunk detections aimed at identifying suspicious activities, including PowerShell execution policy bypasses, renamed PowerShell instances, and unusual command-line tool executions. These tools are vital for security teams striving to detect and mitigate XWorm infections.

Indicators of Compromise (IOC)

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free