Threat Research

Unveiling the Impact: 20+ Malware Spawned by Intense Development Competition

Securonix

CYFIRMA analyzes XSSLite, an infostealer released as part of the XSSWare malware development competition on a Russian forum, and its spread to other communities. The report highlights capabilities, defense-evasion techniques, and how underground competitions are accelerating malware creation and distribution. #XSSLite #XSSWare #CYFIRMA #Metamask #SeedPhrase

Keypoints

  • XSSLite is built in C# with a Python Flask web panel and may be rewritten in C++; it emerged from the XSSWare competition with 20+ developers posting malware.
  • It abuses Windows Management Instrumentation (WMI) to execute malicious commands and payloads.
  • DLL sideloading is used to directly side-load payloads by leveraging legitimate applications to run the payloads.
  • It queries device information, uses a write-watch in memory, and incorporates long sleeps to evade sandbox analysis.
  • It reads the hosts file to identify remotely accessible endpoints and fingerprints victims by checking their public IP via ipinfo.
  • It timestomps and obfuscates to evade defenses, dumps browser credentials, and captures keystrokes; logs are directed to a private C2 via a web panel before compilation.
  • A seed phrase checker and a Meta wallet brute tool were released, supporting multiple coins (BTC, LTC, DASH, DOGECOIN), enabling wallet hijacking risk.
  • Underground malware-development competitions are driving a broader risk landscape, with recommendations spanning strategic, management, and tactical responses.

MITRE Techniques

  • [T1047] Windows Management Instrumentation – Used to execute malicious commands and payloads. ‘abuses Windows Management Instrumentation (WMI) to execute malicious commands and payloads.’
  • [T1574.002] Hijack Execution Flow – DLL Side-Loading – ‘directly side-loading its payloads by planting then invoking a legitimate application that executes their payload(s).’
  • [T1082] System Information Discovery – ‘queries sensitive device information.’
  • [T1016] System Network Configuration Discovery – ‘fingerprints the victim by checking the public IP of the victim using ipinfo.’
  • [T1555.003] Credentials in Web Browsers – ‘dumps credentials from browsers.’
  • [T1056.001] Keylogging – ‘captures keystrokes.’
  • [T1070.006] Timestomp – ‘timestomp and obfuscation techniques for defense evasion.’
  • [T1027] Obfuscated/Compressed Files and Information – ‘obfuscation techniques for defense evasion.’
  • [T1041] Exfiltration Over C2 Channel – ‘send stealer logs to a private C2 before compilation.’
  • [T1497] Virtualization/Sandbox Evasion – ‘Sandbox evasion by looking for VMware and Hyper-V related infrastructure.’

Indicators of Compromise

  • [MD5] Sample file hash – c6a7145f6756ab116b5811bce9d8af81
  • [SHA1] Sample file hash – 6d43f8dae033320866f7c70198bfa85a37ae16aa
  • [SHA256] Sample file hash – 15be0030e75fc12a27fa778f7fedaac338c1b26f9c238100fab649b1fa77dd34

Read more: https://www.cyfirma.com/outofband/malware-development-competition-fuels-creation-of-20-malware/