%20and%20anhemvn6%5B.%5Dcom%20(right)%20when%20sites%20were%20still%20active.jpg?width=922&height=271&name=Figure%201.%20Screenshots%20of%20gptgrok%5B.%5Dai%20(left)%20and%20anhemvn6%5B.%5Dcom%20(right)%20when%20sites%20were%20still%20active.jpg "Malicious Screen Connect Campaign Abuses AI-Themed Lures for Xworm Delivery")
Trustwave SpiderLabs discovered a deceptive campaign using fake AI-themed websites to trick users into installing a modified, digitally signed ScreenConnect installer that ultimately delivered an Xworm RAT via a multi-stage infection chain hosted on GitHub. The campaign used process hollowing, registry persistence, hidden remote sessions, and GitHub-hosted obfuscated Python scripts to evade EDR detection and enable credential theft and remote control. #ScreenConnect #XWorm
Keypoints
- Threat actors used AI-branded lures (e.g., gptgrok[.]ai) and social engineering to get victims to download a disguised ScreenConnect installer named like “Creation_Made_By_GrokAI.mp4 Grok.com”.
- The malicious ScreenConnect binary was digitally signed and its Authenticode signature was manipulated to embed attacker-controlled configuration, allowing remote access without invalidating the signature.
- Remote sessions established by the pre-configured ScreenConnect client allowed the attackers to drop and execute scripts (e.g., “X-META Firebase_crypted.bat”) to download additional payloads from domains such as anhemvn4[.]com.
- Payloads included obfuscated, Base64-encoded Python executed via renamed pythonw.exe (pw.exe) which fetched code from a GitHub repo and performed fileless execution and process injection.
- Techniques observed included process hollowing and hidden desktop execution to evade user detection and EDR, plus registry Run key persistence (mimicking legitimate names like “Windows Security”).
- Actor activity attempted credential access by targeting browser login databases and used WMI queries to enumerate OS and AV information.
- Final payload behavior and scripts point to Xworm, a malware-as-a-service RAT, with an extracted C2 IP of 5[.]181[.]165[.]102:7705 and multiple malicious files hosted in the GitHub repository.
MITRE Techniques
- [T1036.005] Masquerading – The ScreenConnect installer was named like “Creation_Made_By_GrokAI.mp4 Grok.com” while actually being “ScreenConnect.ClientSetup.msi”, tricking users into executing it.
- [T1112] Modify Registry – A registry Run key was added (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun) using reg.exe to persist “C:xmetavipbackup.bat”. Quote: “…a reg.exe command was used to add the Windows Security … value in HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun.”
- [T1055.012] Process Injection: Process Hollowing – Obfuscated Python performed process injection into chrome.exe and msedge.exe via process hollowing. Quote: “…perform process injection (in the observed case, into a chrome.exe and msedge.exe) … process hollowing (T1055.012) technique.”
- [T1564.003] Hidden Files and Directories / Hidden Window – Browsers used for injection were launched on a hidden desktop to avoid user detection. Quote: “…web browsers were also launched on a hidden desktop to avoid detection by a legitimate user (T1564.003).”
- [T1105] Ingress Tool Transfer – The attack downloaded a zip archive (“5btc.zip”) from anhemvn4[.]com and extracted files to C:xmetavip to stage further components.
- [T1218] Signed Binary Proxy Execution – A legitimately signed ScreenConnect binary was modified and used to execute attacker-controlled behavior without invalidating the signature (manipulated Authenticode).
- [T1059.001] Command and Scripting Interpreter: PowerShell/Windows Command Shell – Batch files and mshta.exe were used to execute script commands, e.g., “mshta.exe executing a script … IWshShell3.Run(…X-META~1.BAT…)” to launch subsequent commands.
- [T1555.003] Credentials from Web Browsers – pw.exe attempted to access browser credential stores such as Chrome, Edge, and Firefox login databases. Quote: “…attempted to access sensitive browser-related files … Login Data … key4.db … logins.json.”
- [T1082] System Information Discovery – WMI queries were executed to extract OS and antivirus product information. Quote: “WMI query executions used to extract detailed information about the current operating system (T1082) and to gather data on installed antivirus products (T1518.001).”
Indicators of Compromise
- [URLs] Delivery and payload hosting – hxxps://gptgrok[.]ai (AI-themed lure site), hxxps://anhemvn6[.]com (redirect/delivery).
- [URLs] Archive and GitHub payloads – hxxps://anhemvn4[.]com/5btc[.]zip (downloaded archive), hxxps://github[.]com/trieule99911/vianhthuongbtc (malicious repo) and raw.githubusercontent URLs for files like basse64.txt and Exppiyt.txt.
- [File names] Dropped and executed artifacts – ScreenConnect.ClientSetup.msi (disguised installer like “Creation_Made_By_GrokAI.mp4 Grok.com”), X-META Firebase_crypted.bat, pw.exe (renamed pythonw.exe), backup.bat.
- [Registry] Persistence key – HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun value named like “Windows Security” pointing to C:xmetavipbackup.bat.
- [IP] Command-and-control – 5[.]181[.]165[.]102:7705 observed in final payload script (not flagged on VirusTotal at time of analysis).