Threat Research

Malware stories: Deworming the XWorm

Securonix

XWorm is a modular .NET RAT analyzed in-depth, detailing a multi-stage unpacking and deobfuscation process that culminates in a runnable payload. The write-up walks through the analysis from initial malspam delivery to the final unpacked sample, including config decryption and C2 capabilities. Hashtags: #XWorm #MWDB

Keypoints

  • XWorm is a multi-purpose modular remote access Trojan commonly used as a RAT, analyzed with a detailed reverse-engineering walkthrough.
  • sample PO_Order_Listed_PDF_1.lzh was distributed with malspam and contained PO_Order_Listed_PDF.exe, identified as XWorm via Yara rules.
  • The analysis reveals a four-stage unpacking chain, including an outer .NET loader, a bitmap loader, obfuscated final packer, and a readable final payload.
  • The final stage exposes a static Settings class with unencrypted configuration (Host, Port, KEY, SPL, Sleep, USBNM, Mutex, LoggerPath) that is encrypted at runtime and decrypted by a custom routine.
  • C2 communication supports a broad command set (e.g., rec, uninstall, update, StartDDos, plugin, savePlugin, OfflineGet, $Cap) and the protocol is designed to be stateless.
  • Researchers automated config extraction using dnLib/malduck, extracting encrypted settings and decrypting them to reveal the host/port/keys used by the sample.

MITRE Techniques

  • [T1566.001] Phishing – The sample was distributed via malspam. “It was distributed with malspam”
  • [T1059.005] Visual Basic – The project was written in VisualBasic (an educated guess, judging by MyComputer, MyApplication, etc classes). “The project was written in VisualBasic (an educated guess, judging by MyComputer, MyApplication, etc classes)”
  • [T1027] Obfuscated/Compressed Files and Information – The real payload is probably packed; the code is hidden in a large amount of legitimate code. “Not a lot of useful code otherwise, so the real payload is probably packed.”
  • [T1059.005] Visual Basic – Stage 3 obfuscation and deobfuscation steps (de4dot cleanup) via VB/.NET tooling; “the entrypoint is Class10.Main (after deobfuscation)”
  • [T1105] Ingress Tool Transfer – The malware downloads a new sample/updates via commands like “update [url] – Download a new sample and replace the current binary”
  • [T1091] Replication Through Removable Media – USB spreader code implemented in a USB class; “USB spreader code (!), implemented in a class called USB”
  • [T1056.001] Input Capture – Keylogger capabilities are present in the XLogger class; “Keylogger capabilities implemented in the XLogger class”
  • [T1071.001] Web Protocols – C2 communications implemented via ClientSocket/Messages with a diverse command set; “The communication is implemented by the classes ClientSocket and Messages”
  • [T1071.001] Web Protocols – The protocol is stateless and allows plugins/commands to be requested or executed without explicit c2 acknowledgement; “the protocol is stateless”
  • [T1027] Obfuscated/Compressed Files and Information – Final unpacked binary shows a decryption routine encrypting config data; “Data is encrypted with AES EBC using the MD5 hash of the ‘Mutex’ field as the key.”

Indicators of Compromise

  • [File] Recent samples – 7a61fcf00b368d4e5efe55c3d5b09b417422f081b4154a5b264a211c30959ed2, f995d58bbe6383947308e35ffc36eba0fe3e357c2d4d9612dbf4bb2fa0f992b4, and 2 more hashes
  • [File] PO_Order_Listed_PDF_1.lzh – sample archive containing PO_Order_Listed_PDF.exe (sha256: 21432bcec2d1df855e85a64b3bfbcae8f5031ce449f2c4652076db7bdea375a2)
  • [Domain/IP] C2 domains/addresses – septiembre2022.duckdns.org:3130, miles-c.at.ply.gg:49826, eu-central-7075.packetriot.net:22123
  • [IP] C2 IPs – 191.101.130.18:8252, 20.197.231.178:7000

Read more: https://cert.pl/en/posts/2023/10/deworming-the-xworm/