XWorm is a Windows RAT analyzed for its post-connection C2 communications, including how the client and server exchange encrypted data and commands. The article examines the payload structure, encryption, plugins, and data-exfiltration capabilities enabled after a successful victim connection. Hashtags: #XWorm #ANYRUN
Keypoints
- XWorm is a Windows-targeting Remote Access Trojan (RAT) with a plugin-based architecture that activates after a victim connects to the attacker’s server.
- The analysis focuses on the post-connection communication, including how data is encrypted and how it can be decrypted.
- The data sent from the client is split into a length value and encrypted payload, with a sample length of 272 (decimal).
- ).
- The transmitted data fields include ID, UserName, OS, Version, LastWriteTime, Admin status, Camera check, CPU/GPU/RAM, and AV information, among others.
- The Info Stealer plugin area reveals seven main classes (AlgorithmAES, ClientSocket, Helper, Messages, Xlogger, Uninstaller, Main) that support data collection and plugin management.
- Plugins can be deployed and executed via the server, including a .gz archive that unpacks into an executable (a .NET DLL) with extensive infostealer capabilities.
- The infostealer DLL extracts credentials and data (credit cards, cookies, Discord tokens, browser data, wallets, etc.) and can disable Defender or perform other disruptive actions.
- Command traffic shows plugin-related actions such as sendPlugin and savePlugin, indicating controlled plugin deployment and execution from the C2.
MITRE Techniques
- [T1560.002] Archive Collected Data – Archive data via a library to exfiltrate information. – ‘Archive Collected Data::Archive via Library T1560.002’
- [T1555.003] Credentials from Web Browsers – Extract credentials from browser stores. – ‘Credentials from Web Browsers T1555.003’
- [T1140] Deobfuscate/Decode Files or Information – Decrypt/decode payloads as part of data processing. – ‘Deobfuscate/Decode Files or Information T1140’
- [T1027] Obfuscated Files or Information – Obfuscate or conceal data/strings in transit or storage. – ‘Obfuscated Files or Information T1027’
- [T1620] Reflective Code Loading – Load code reflectively during runtime. – ‘Reflective Code Loading T1620’
- [T1083] File and Directory Discovery – Locate files/directories as part of data collection. – ‘File and Directory Discovery T1083’
- [T1057] Process Discovery – Identify running processes to gauge context. – ‘Process Discovery T1057’
- [T1012] Query Registry – Read registry for configuration or state. – ‘Query Registry T1012’
- [T1082] System Information Discovery – Gather OS and hardware details. – ‘System Information Discovery T1082’
- [T1614] System Location Discovery – Determine device location/ownership context. – ‘System Location Discovery T1614’
- [T1129] Shared Modules – Use shared modules or DLLs to extend capabilities. – ‘Shared Modules T1129’
- [T1047] Windows Management Instrumentation – Use WMI for information gathering or actions. – ‘Windows Management Instrumentation T1047’
Indicators of Compromise
- [FileName] context – msbuilds.exe, Recovery.dll, and Options.dll
- [SHA256] context – f58193da4f61b45e375f5aa2978b08908578b5151dc779dc4b566e6a941e802b, 0ee68c8008e2a8d6252db3d3b1a1b0179e1f868b0b3240bbcec3d1c29d5364fb, and 7df14d2929a500eec6a144ec8e687960bbea047f9a78a46ea64faa1fa28f8724
- [IP Address] context – 140.228.29.162:7900 (C2 server address)
Read more: https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/