Threat Research

A Reverse Engineer’s journey with PowerShell and XWorm – Emanuele De Lucia

Securonix

An in-depth look at XWorm 5.6, a VBScript-based dropper delivered through malspam against an Italian organization. It explains persistence via the Startup folder, base64-encoded payloads loaded through AppDomain, AES decryption for configuration, and observed C2 and keylogging capabilities. #XWorm #PowerShell #VBScript #DuckDNS #Darknet

Keypoints

  • The malspam campaign delivered a very large VBScript file (≈409 MB) with a verified sha256 hash ADF773B49D8306E08B5232039E0DEA143E2C015CDC731F1BE86D7DD92FCCA6A9.
  • The VBScript performs persistence by writing a payload to the Startup folder (startPath = obj.SpecialFolders(“Startup”) & “Payload.vbs”).
  • Encoded payload data is stored in multiple base64-like strings and later reconstructed and executed via AppDomain.Load(“…”).
  • The extracted payload is a .NET Worm variant (v5.6) with a TimeDateStamp of 665E10CF and decrypts configuration using an AES-based routine (AlgorithmAES) that uses an MD5-derived key in ECB mode.
  • Keylogging is implemented (XLogger) using a Windows hook to capture keystrokes and active window titles for contextual logging.
  • XWorm’s architecture includes reconnaissance, C2 beacons, memory/disk plugins, and multiple commands (e.g., TD, Cam, RunDisk, Memory) with a modular, multi-stage approach aimed at evasion and persistence.

MITRE Techniques

  • [T1547.001] Boot or Logon Autostart – Startup Folder – The VBScript writes Payload.vbs into the Startup folder to run on user login, as seen in startPath = obj.SpecialFolders(“Startup”) & “Payload.vbs”.
  • [T1059.001] PowerShell – Command and Scripting Interpreter – The payload uses PowerShell commands with bypassed execution policy, e.g. PPSS = “PowerShell -noexit -exec bypass -window 1 -enc …”.
  • [T1027] Obfuscated/Compressed Files and Information – The final payload and config are built from extensive base64-encoded strings and reversed decoding, described as these strings represent encoded data for the final payload.
  • [T1059] Dynamic code execution / Reflective loading – The code reconstructs a base64 payload and loads it in memory via [AppDomain]::CurrentDomain.Load(…) and then invokes the entry point.
  • [T1056.001] Keylogging – The malware implements global keyboard capture using a low-level hook (SetWindowsHookEx) and logs keystrokes with window titles via XLogger.
  • [T1105] Ingress Tool Transfer – The loader reconstructs the payload to disk (e.g., Ahf2op5r4m4c.bin) and writes it to disk for execution; the code path includes File saved -> $payloadPath.

Indicators of Compromise

  • [Domain] liliana221990[.]duckdns[.]org – observed as a host in the C2/reconnaissance workflow.
  • [Port] 7000 – port used for the C2 connection.
  • [File] Payload.vbs – dropper placed in the Startup path.
  • [File] USB.exe – USBNM field and plugin-related executable.
  • [File] Ahf2op5r4m4c.txt – payload/config data stored as a text artifact.
  • [File] Ahf2op5r4m4c.bin – binary payload extracted from encoded data.
  • [Hash] ADF773B49D8306E08B5232039E0DEA143E2C015CDC731F1BE86D7DD92FCCA6A9 – large initial sample (≈409 MB).
  • [Hash] 9E123E98616D1BF98F868759FE04A4817A12D69512EEE6946662102F3B1775EE – smaller extracted payload sample (≈50 KB).
  • [Hash] E202C9745876E613AC216A2FF07859265EA1FAEF3FB03D32B727B7BD714DD35E – decrypted/associated payload hash.

Read more: https://www.emanueledelucia.net/a-reverse-engineers-journey-with-powershell-and-xworm/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint