Phishing emails impersonating PayPal deliver Xworm via a URL file that accesses a network shared folder to download an executable. AhnLab’s EDR traces the infiltration path and shows how Xworm distributes, executes, and communicates with its C2 servers, highlighting the malware’s behaviors and defense insights. #Xworm #PayPal #AhnLab #EDR #ContinentalGamesTop #NewsferInfo
Keypoints
- Phishing emails disguise malware as legitimate attachments, enhancing lure effectiveness.
- A PayPal impersonation phishing email tricked recipients into executing malware.
- The malware is delivered via a URL file that accesses a network shared folder to download additional files.
- Xworm performs process hollowing and self-replication to persist and evade detection.
- The malware registers itself for automatic execution on startup (persistence).
- Xworm can communicate with C&C servers and perform various malicious functions per commands.
- AhnLab’s EDR aids in detecting, tracing, and analyzing malware distribution and behavior to understand infiltration paths.
MITRE Techniques
- [T1093] Process Hollowing – Malware performs process hollowing targeting RegAsm.exe. Quote: “Malware performs process hollowing targeting RegAsm.exe.”
- [T1135] Network Share Discovery – Malware accesses a network shared folder to download additional files. Quote: “Malware accesses a network shared folder to download additional files.”
- [T1071] Command and Control – Xworm communicates with C&C servers for command execution. Quote: “Xworm communicates with C&C servers for command execution.”
- [T1547] Persistence – Xworm registers itself for automatic execution upon system startup. Quote: “Xworm registers itself for automatic execution upon system startup.”
Indicators of Compromise
- [MD5] context – 36121a06f7d94bd1c18f5ff4618d5f29, bfe4e6c774018b6e85d33fd381427d2f
- [URL] context – http[:]//continentalgames[.]top/, https[:]//newsferinfo[.]com/
- [IP] context – 62[.]173[.]141[.]99
Read more: https://asec.ahnlab.com/en/82016/