Summary:
XWorm is a sophisticated malware known for its modular design and evasion techniques. It utilizes encryption for communication with its Command and Control server, collects system information, and can manipulate DNS settings. The malware’s ability to update itself and remove traces enhances its stealth, making it a significant threat.
#XWorm #MalwareAnalysis #ThreatDetection
XWorm is a sophisticated malware known for its modular design and evasion techniques. It utilizes encryption for communication with its Command and Control server, collects system information, and can manipulate DNS settings. The malware’s ability to update itself and remove traces enhances its stealth, making it a significant threat.
#XWorm #MalwareAnalysis #ThreatDetection
Keypoints:
- XWorm employs obfuscation techniques to avoid detection.
- It establishes a connection with a Command and Control server using encrypted communication.
- The malware collects and sends valuable system information to the attacker.
- XWorm can manipulate the victim’s hosts file for DNS attacks.
- It has self-update capabilities and can erase its traces from the infected system.
- The modular design allows for the addition or removal of functionalities.
- XWorm uses AES encryption for data transmission, enhancing its stealth.
MITRE Techniques
- Obfuscated Files or Information (T1027): Utilizes obfuscation techniques to avoid detection.
- Command and Scripting Interpreter: Visual Basic (T1059.005): Executes commands through Visual Basic scripting.
- Screen Capture (T1113): Captures screenshots of the victim’s desktop.
- Collects system info (T1592): Gathers comprehensive system information from the victim’s machine.
- Keylogging (T1056): Captures keystrokes to gather sensitive information.
- Process Injection: Portable Executable Injection (T1055.002): Injects malicious code into running processes.
- Injecting malicious code into systems (T1659): Modifies system files to include malicious code.
- Application Layer Protocol: Web Protocols (T1071.001): Uses web protocols for command and control communication.
IoC:
- [file hash] 3EEACBE10835A79077EF83C93DCF636B
- [file hash] 0B796B2F6383FE2916F678E78666F713
- [tool name] Trojan.Xworm.S34251703
- [tool name] Trojan.GenericFC.S29960909
Full Research: https://www.seqrite.com/blog/evolving-threats-the-adaptive-design-of-xworm-malware/