A modified version of the XWORM RAT has been discovered distributed via a trojanized MSI installer masquerading as a WhatsApp installer, with several components containing Chinese-language elements. This variant features a custom Telegram-checking function and uses Donut-encrypted shellcode embedded in PNG files, with command and control (C2) servers located in East/South East Asia. #XWORM #Underbyte #Donut #Telegram
Keypoints
- A trojanized MSI installer named whats-install.msi disguises itself as a legitimate WhatsApp installer and includes Chinese-language metadata.
- The installer executes xmplay.exe which side-loads a malicious DLL (xmpcd.dll) to run a PowerShell script creating a Scheduled Task for persistence.
- The installer.exe acts as a shellcode loader, extracting Donut-encrypted shellcode from the PNG file resource_data.png for execution.
- The decrypted shellcode is a modified XWORM RAT client configured with a hardcoded C2 server at 27.124.2[.]138:6000 and an unused C2 at 45.125.216[.]54:7000.
- This XWORM variant includes a custom function to check for Telegram installation, reporting via a Telegram-based identification mechanism.
- The malware uses common Chinese-speaking threat actor techniques such as Donut-encrypted shellcodes, DLL side-loading, and targeting Telegram presence.
- Multiple related samples with similar characteristics and infection chains have been observed, indicating ongoing distribution campaigns in East/South East Asia.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – PowerShell script executed via AccurateRemote() function to create persistence Scheduled Task. (‘…runs an embedded PowerShell script to create a Scheduled Task with a random name for persistence…’)
- [T1543] Create or Modify System Process – Creation of a Scheduled Task for persistence that runs xmplay.exe at logon. (‘…The Scheduled Task runs xmplay.exe during logon…’)
- [T1218] Signed Binary Proxy Execution – Use of legitimate xmplay.exe to side-load malicious DLL xmpcd.dll. (‘…When the legitimate xmplay.exe is executed, it side-loads a malicious DLL named xmpcd.dll…’)
- [T1105] Ingress Tool Transfer – The installer drops multiple components including xmplay.exe, xmpcd.dll, installer.exe, and resource_data.png to the victim system. (‘…MSI drops content…’)
- [T1071] Application Layer Protocol – Custom Telegram identification and reporting function used to check for Telegram presence on infected hosts. (‘…includes a custom Telegram identification and reporting function…’)
- [T1045] Software Packing – Use of Donut loader to encrypt and load shellcode from PNG resource. (‘…The shellcode loaded by installer.exe is encrypted with the Donut loader…’)
Indicators of Compromise
- [File Hash] MSI installer and payload files – whats-install.msi: 37e42839ea6f1c97c7256eeec99e420e46e4d920bf629cb84aa260e78ee7f60f, xmplay.exe: ebc41dbef6867a7e505864d9fccd167c0d0bd9742f8ea4278c675aa78522b4d2, xmpcd.dll: 4af573b1b9d2b107d08acd82b639637e7991c4a98bfe998714f82d703c01c26a
- [File Hash] Supporting resource and RAT samples – resource_data.png: c74482352b8c7c36783704936c41bdc1a8482135c4f0fe920bcc289ddaafb848, XWORM RAT: a0bd05d481591889b83772632f860398345dc0f4daf2d004fba3639882e8b2b6
- [Network] Command and Control servers – 27.124.2[.]138:6000 (active), 45.125.216[.]54:7000 (unused)
- [Mutex] Malware runtime identifier – sKGCo7sB9Ni6uaEY
Read more: https://dmpdump.github.io/posts/Modified_Xworm_Distribution/