Threat Research

XWorm RAT analysis: Steal,
 persist & control

LogPoint
XWorm RAT analysis: Steal,
 persist & control

XWorm is a modular, builder-driven .NET Remote Access Trojan (RAT) sold as malware-as-a-service that enables operators to assemble bespoke payloads with features like keylogging, clipper, screen capture, credential theft, persistence, and optional ransomware modules. Campaigns use diverse delivery chains (LNK/HTA/VBS/PowerShell, steganography, TryCloudflare tunnels, ClickFix clipboard lures) and have been used by groups including Nullbulge, UAC-0184, TA558, and Kimsuky to scale infections rapidly. #XWorm #TA558 #Kimsuky

Keypoints

  • XWorm is sold and shared on criminal marketplaces since mid-2022 and operates as a builder/MaaS enabling rapid, repeatable payload creation.
  • The XWorm Builder GUI lets operators toggle features (keylogger, clipper, anti-analysis), persistence methods (Registry, Scheduled Tasks, Startup), obfuscation, and assembly metadata without coding.
  • Delivery methods are highly varied—LNK/HTA/VBS/WSF, PowerShell, ZIP/ISO/IMG, macros, steganography, and TryCloudflare tunnels—allowing operators to bypass different defenses.
  • Observed campaigns include ClickFix-style clipboard PowerShell lures and multi-stage, encoded, fileless scripts; actors tied to activity include Nullbulge, UAC-0184, TA558, and Kimsuky.
  • Typical runtime behaviors include AMSI bypass (CLR.dll patching), VM/sandbox checks, persistence via Run keys or Scheduled Tasks, credential and cookie theft, keylogging, clipboard clipping, screen capture, and covert VNC.
  • Operational tempo and scale are notable: single campaigns have compromised tens of thousands of devices, demonstrating how builder-driven malware can rapidly scale across diverse victims.
  • Defensive recommendations emphasize blocking risky attachments, hardening PowerShell, restricting LOLBAS, limiting egress, alerting on persistence artifacts, centralizing telemetry, MFA, least privilege, and allowlisting.

MITRE Techniques

  • [T1204] User Execution: Malicious File – User double-clicks shortcut or staged script (.lnk, .bat, .hta) that pulls next stages. Quote: ‘User double-clicks shortcut or staged script (.lnk, .bat, .hta) that pulls next stages.’
  • [T1059] Command and Scripting Interpreter: PowerShell – Stagers download, decrypt, and run payloads with execution-policy bypass. Quote: ‘Stagers download, decrypt, and run payloads with execution-policy bypass.’
  • [T1547.001] Boot or Logon Autostart Execution: Run Keys / Startup Folder – Drops a copy of the RAT into the user Startup directory and places a shortcut so it launches at user logon. Quote: ‘Drops a copy of the RAT into the user Startup directory and places a shortcut so it launches at user logon.’
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Creates a scheduled task to run the binary at logon or on a short recurring interval. Quote: ‘Creates a scheduled task to run the binary at logon or on a short recurring interval.’
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Impacts the Defender service, turns protections down—changing Defender preferences so real-time/script/behavior checks are weakened. Quote: ‘Impacts the Defender service, turns protections down—changing Defender preferences so real-time/script/behavior checks are weakened.’
  • [T1562.004] Impair Defenses: Disable or Modify System Firewall – Turns off Windows Firewall for all profiles. Quote: ‘Turns off Windows Firewall for all profiles.’
  • [T1027] Obfuscated Files or Information – Base64/AES-encrypted resources, string obfuscation, and in-memory AMSI patching. Quote: ‘Base64/AES-encrypted resources, string obfuscation, and in-memory AMSI patching.’
  • [T1497.001] Virtualization/Sandbox Evasion: System Checks – Performs checks for VM or sandbox artifacts and alters execution or exits when detected. Quote: ‘Performs checks for VM or sandbox artifacts and alters execution or exits when detected.’
  • [T1530] Steal Web Session Cookie – Collects session material such as Discord, Telegram tokens and browser cookies. Quote: ‘Collects session material such as Discord, Telegram tokens and browser cookies.’
  • [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – Harvests saved credentials and autofill from Chromium/Firefox profiles. Quote: ‘Harvests saved credentials and autofill from Chromium/Firefox profiles.’
  • [T1010] Application Window Discovery – Enumerates open windows and tracks active window titles to guide operator actions and monitoring. Quote: ‘Enumerates open windows and tracks active window titles to guide operator actions and monitoring.’
  • [T1082] System Information Discovery – Gathers host profile data including OS version, GPU name, driver version, adapter RAM, and video processor. Quote: ‘Gathers host profile data including OS version, GPU name, driver version, adapter RAM, and video processor.’
  • [T1518.001] Software Discovery: Security Software Discovery – Queries the Windows Security Center WMI namespace to gathers information installed and registered antivirus products. Quote: ‘Queries the Windows Security Center WMI namespace to gathers information installed and registered antivirus products.’
  • [T1056.001] Input Capture: Keylogging – Built-in keylogger capability. Quote: ‘Built-in keylogger capability.’
  • [T1113] Screen Capture – Periodic screenshots as part of RAT surveillance. Quote: ‘Periodic screenshots as part of RAT surveillance.’
  • [T1115] Clipboard Data – Clipboard monitoring and “clipper” behavior that replaces cryptocurrency addresses. Quote: ‘Clipboard monitoring and “clipper” behavior that replaces cryptocurrency addresses.’
  • [T1095] Non-Standard Port – C2 over non-standard TCP ports. Quote: ‘C2 over non-standard TCP ports.’
  • [T1001] Protocol or Service Impersonation – Impersonates legitimate protocols or web service traffic. Quote: ‘Impersonates legitimate protocols or web service traffic.’
  • [T1021.003] Remote Services: VNC (HVNC) – Establishes covert VNC sessions that let the operator control the desktop without a visible UI. Quote: ‘Establishes covert VNC sessions that let the operator control the desktop without a visible UI.’
  • [T1486] Data Encrypted for Impact – Ransomware-style file encryption module available to operators. Quote: ‘Ransomware-style file encryption module available to operators.’
  • [T1498] Network DoS: Direct Flood – DDoS commands from infected hosts to exhaust local services or flood remote targets. Quote: ‘DDoS commands from infected hosts to exhaust local services or flood remote targets.’
  • [T1489] Service Stop – Stops Windows services to weaken defenses. Quote: ‘Stops Windows services to weaken defenses.’

Indicators of Compromise

  • [File Types] Delivery and loader names/formats – .lnk, .hta, .vbs, .wsf, .ps1, .exe, .dll, .iso, .img, macro-enabled docs (examples: LNK downloaders, VBS stagers).
  • [Persistence Artifacts] Startup / Scheduled Task indicators – shortcuts in Startup folder, Run-key entries pointing to %AppData% or %ProgramData%, scheduled tasks invoking RAT binary.
  • [Network/Infrastructure] C2 and delivery channels – TryCloudflare tunnel URLs and low-reputation domains used in phishing pages, and Telegram endpoints used for C2 (example contexts: TryCloudflare tunnels used to host installers; Telegram used for command-and-control).
  • [Behavioral/Telemetry] AMSI patching and obfuscated payloads – in-memory AMSI bypass via CLR.dll patching, Base64/AES-encoded resources and string obfuscation (example artifacts: patched CLR-related calls and encoded resource blobs).
  • [Credentials/Artifacts] Browser and session theft – stolen Chromium/Firefox credentials and Discord/Telegram tokens (examples: harvested browser profile files and session cookies).

Read more: https://logpoint.com/en/blog/xworm-rat-analysis-steal-persist-control

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint