ASEC identified that XwormRAT malware is distributed via phishing emails using steganography embedded in JPG files to conceal the .NET loader and final payload. The malware initiation involves VBScript or JavaScript that triggers a PowerShell script to decode and execute the hidden malware, making detection difficult. #XwormRAT #ASEC #steganography
Keypoints
- ASEC collects malware data from phishing emails using its email honeypot system and publishes regular trend reports.
- XwormRAT malware utilizes steganography by hiding a .NET loader inside JPG image files to evade detection.
- The initial infection starts with VBScript or JavaScript inserting a PowerShell script that downloads the final malware.
- The PowerShell script contains Base64-encoded data with dummy characters removed during execution to decode the payload.
- The current variant extracts bitmap image data (RGB values) from JPG files to reconstruct and execute the .NET loader.
- The steganography method is evolving and has been used to distribute other malware, requiring caution with emails from unknown sources.
- Multiple MD5 hashes and URLs associated with XwormRAT-related files have been identified and published by ASEC.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Attackers executed VBScript and JavaScript to initiate the attack and insert embedded PowerShell scripts. (‘starts with VBScript and JavaScript’)
- [T1059.001] PowerShell – The embedded PowerShell script decodes Base64 data after removing dummy characters and downloads additional malware. (‘the script uses the Replace() function to remove dummy characters before being decoded’)
- [T1027] Obfuscated Files or Information – The PowerShell script uses obfuscation with dummy characters and Base64 encoding to conceal the malicious payload. (‘Base64-encoded data and dummy characters’)
- [T1105] Ingress Tool Transfer – Additional malware is downloaded from an external server following PowerShell execution. (‘downloading and executing additional malware from an external server’)
- [T1204] User Execution – Users are tricked into opening phishing emails containing malicious scripts embedded in seemingly legitimate content. (‘phishing emails by using its own email honeypot system’)
- [T1027.002] Steganography – Embedded .NET loader concealed within JPG image files by modifying bitmap pixel data (RGB) to evade detection. (‘steganography technique applied to the JPG image file’)
Indicators of Compromise
- [File Hashes] XwormRAT malware samples – 0e5ff18f30be0fcb3f3d9be61e7b1eb9, 19399e8df23b0b98e1fe830e72888f34, and 3 more hashes
- [URLs] Malicious download locations – http[:]//paste[.]ee/d/YBaUs0Re/0, https[:]//archive[.]org/download/wp4096799-lost-in-space-wallpapers_20250610/wp4096799-lost-in-space-wallpapers[.]jpg
Read more: https://asec.ahnlab.com/en/88885/