Cyble researchers exposed a dark web post by a malware developer selling a powerful Windows RAT suite, including XWorm with ransomware and HVNC capabilities. The article details the toolset, persistence and anti-analysis techniques, data exfiltration, and the ongoing presence of XWorm samples in the wild, along with defensive recommendations. #XWorm #EvilCoderProject
Keypoints
- The threat-hunting exercise led to a dark web post where a malware developer advertised multiple dangerous tools for sale.
- Tools include XWorm V2.2 (RAT + ransomware), XBinder V2.0/Client/Builder, UAC Bypasser Builder, Hidden Malware Builder, and others with anti-analysis features.
- XWorm is a .NET binary (~45.5 KB) capable of dropping payloads, modifying registry entries, and executing commands, with multiple persistence and defense-evasion techniques.
- Anti-analysis and anti-detection techniques are used (anti-VM, anti-debugger, anti-sandbox, anti-emulator; checks for virtualization and debuggers).
- XWorm establishes persistence via startup folders, AppData, scheduled tasks, and registry autorun entries; it then communicates with a C2 domain and exfiltrates system details.
- HVNC, DDoS, Clipper, keylogging, screen capture, ransomware encryption, and other capabilities are described within the XWorm toolset.
- Recommendations emphasize basic cybersecurity best practices to prevent infections and identify potential signs of compromise.
MITRE Techniques
- [T1059.001] Bypasses PowerShell execution policy β The toolset includes a PowerShell component; as described, ββCrypto Money Grabber PowerShell Scriptβ.β
- [T1547.001] Registry Run Keys / Startup Folder β βTo establish persistence, the malware drops itself into the start-up folder.β
- [T1055] Process Injection β The RAT tooling includes βRun File [Disk β Link β Memory β Script β RunPE].β
- [T1027.003] Obfuscated Files or Information β βAnti-analysis techniques included such as anti-VM, anti-debugger, anti-sandbox, and anti-emulator.β
- [T1036.005] Masquerading β Drops PE files with benign system names β βMasquerading β Drops PE files with benign system names.β
- [T1082] System Information Discovery β βexfiltrated details include information such as processor count, UserName, MachineName, OSVersion, Malware version, date of malware creation, administrative privileges, webcam details, and antivirus programs installed in the system.β
- [T1071.001] Application Layer Protocol β βsystem6458[.]ddns[.]net on Port 6666.β
Indicators of Compromise
- [Hash] XWorm.exe β 15f54e2562a9c6f51367327e9f19c11282f21a2de6687f73f0483e6fe3164973, 366133968ea8bef322a22a977da1b9c7aaab9559, and other 2 more hashes
- [Hash] XWorm.exe β 8cfefc291d9088ef0b3ab7dd59d8ff672e73d333c8d18bd1dff4c7695ae8af83, e8c6d68e67d853180d36116e3ba27e4f12346dc2, and other 2 more hashes
- [Hash] XWorm.exe β 096e33b9b0b4f843a7ea0259f75b4370f00ab90f3807eb89d5f0117da762900d, a7e95c1d51a278b59097524a14d042257f3e2801, and other 2 more hashes
- [Hash] XWorm.exe β 8f9fff88c0c636c80ca0a4cfa37d3fb620289579a1ecae9ba1d3881235b482ee, 93c2c2c80274ed4c663423c596d0648e8b548ec2, and other 2 more hashes
- [Hash] XWorm.exe β b9a9ae029ca542aadea0b384e4cfb50611d1a92c4570db5ddc5e362c4ebe41b4, fdce6ef81ccf3d697f20c020020bbb6b51f8b1f1, and other 2 more hashes
- [Hash] XWorm.exe β 64519b4e63dbedc44149564f3d472c720fa3c6a87c9ad4f07d88d7fd1914f5b9, 2edbb78ec7c8f6a561eb30fd43c31841d74217df, and other 2 more hashes
- [Hash] XWorm.exe β 8a399e51bdcd4b8d0a041236e80b3094987a80674bda839351fef1585c8c921b, af6bd2d2732269d0b6bbb78006e4980511ac8546, and other 2 more hashes
- [Hash] XWorm.exe β b09bf46468d9ed8b1957246f4cf7fd15679212fe9e5df7df6101179e0594cae6, 72af980aaaa635bc4425b59ef523f8088b3874d5, and other 2 more hashes
- [Hash] XWorm.exe β b327ec6f6dba10eb77cf47e8486059da63d1d77c3206a8a5ba381b2f1e621651, be06e7a5bff1bcd1fd27ff6789ae87513cd9d4de, and other 2 more hashes
- [Hash] XBinder Builder β cbc87f41023b27b31a0eeac9818fa06db2914b5cc7c18c9392944ddc721b4efb, 9bbb4afa7dd21e37f09ce9bb81ff7ab961a20f2a, and other 2 more hashes
- [Hash] XBinder Client β f89b62d1cf8d2bfd83be841187502318817bc58725a5409c1c2fb6c0c7b14959, 716bf966c68ac8b120b8029a294e9c5d9d21f637, and other 2 more hashes
- [Domain] C2 domain β system6458.ddns.net
Read more: https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/