Threat Research

Netskope Threat Labs Reveals XWorm’s Covert Tactics

Netskope

XWorm is a versatile malware tool that enables attackers to access sensitive information, gain remote access, and deploy additional malware. Netskope Threat Labs documents its infection chain, stealth techniques, new features, and attacker notification via Telegram, illustrating how it operates and persists.
#XWorm #NullBulge #TA558

Keypoints

  • XWorm overview: A versatile malware tool discovered in 2022.
  • Infection chain: Initiated by a Windows Script File (WSF) that downloads and executes a PowerShell script.
  • Execution flow: Involves multiple scripts and scheduled tasks to execute XWorm stealthily.
  • Stealth techniques: Uses reflective code loading and DLL injection to avoid detection.
  • New features: Includes commands for removing plugins, modifying hosts files, and launching DDoS attacks.
  • Attacker notification & persistence: Telegram notification after infection and a scheduled task that runs every 15 minutes.
  • Data exfiltration: Collects and sends victim information to the attacker.

MITRE Techniques

  • [T1566.001] Phishing – ‘Uses phishing to deliver the initial WSF file.’
  • [T1059.001] PowerShell – ‘Executes scripts via PowerShell and VBScript.’
  • [T1059.005] VBScript – (embedded in the same execution chain as PowerShell) – ‘Executes scripts via PowerShell and VBScript.’
  • [T1053.005] Scheduled Task – ‘Creates a scheduled task for persistence.’
  • [T1055] Process Injection – ‘Injects into a legitimate process to escalate privileges.’
  • [T1055] Process Injection – ‘The PowerShell script loads a malicious DLL through reflective code loading.’
  • [T1055] Process Injection – ‘The malicious DLL injects XWorm on a legitimate process.’
  • [T1071.001] Web Protocols (C2 via sockets) – ‘Establishes a connection to a C2 server via sockets.’
  • [T1041] Exfiltration – ‘Collects and sends victim information to the attacker.’
  • [T1499] Impact – ‘Launches DDoS attacks against targets.’

Indicators of Compromise

  • [Domain] ziadonfire[.]work[.]gd — C2 host/domain configured by XWorm
  • [Domain] paste.ee — Source hosting the PowerShell script
  • [IP Address] 89.116.164.56 — C2 host from XWorm configuration
  • [Port] 7000 — C2 communication port
  • [File name] USB.exe — value in the C2 config
  • [File name] RegSvcs.exe — legitimate process target for injection
  • [File name] VsLabs.vbs — part of the infection chain
  • [File name] VsEnhance.bat — part of the infection chain
  • [File name] VsLabsData.ps1 — PowerShell loader script
  • [File name] XClient3.exe — payload name defined in VsLabsData.ps1
  • [File name] NewPE2 — DLL loader defined in VsLabsData.ps1

Read more: https://www.hendryadrian.com/netskope-threat-labs-reveals-xworms-covert-tactics/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint