Threat Research

XWorm: Technical Analysis of a New Malware Version 

Securonix

This article provides a detailed look at a new XWorm variant, covering its persistence, anti-analysis techniques, and data-exfiltration methods, including how it retrieves and decrypts configuration. It also demonstrates how ANY.RUN is used to uncover the malware’s C2 communications and configuration via live and static analyses. #XWorm #ANYRUN #Telegram #Ngrok

Keypoints

  • XWorm targets Windows and is noted for stealth, persistence, and a broad range of malicious activities from remote desktop control to ransomware and information theft.
  • persists by adding a startup shortcut (Registry Run Keys / Startup Folder) and uses Scheduled Tasks to restart with elevated privileges.
  • installs in the Public directory (Local Data Staging) and attempts to connect to a remote server on a non-standard port, though initial connections may fail.
  • it performs external IP address discovery to check if it’s running on a real host vs. VM, and it uses residential proxies to evade detection and geo-targeting.
  • communicates via Telegram for C2 (bidirectional communication) and attempts to reach a remote server at a non-standard port for C2.
  • anti-analysis techniques include virtualization detection (WMI), debugger detection, Sandboxie checks, and host/data center checks to slow or frustrate analysis.

MITRE Techniques

  • [T1547.001] Registry Run Keys / Startup Folder – Adds a shortcut to the startup folder. “‘the software adds its shortcut to the startup’”.
  • [T1053.005] Scheduled Task – Uses the task scheduler to restart the software with elevated privileges. “‘The use of the scheduler is necessary to restart the software with elevated privileges, as indicated by the ‘/RL HIGHEST’ parameter.’”
  • [T1074.001] Local Data Staging – The software is installed in the Public directory. “‘The software is installed in the Public directory’”.
  • [T1571] Non-Standard Port – Connects to a remote server. “‘Interestingly, the software attempts to connect to a remote server, but no response is received’”.
  • [T1590.005] IP Addresses – Queries a service to determine the external IP address. “‘queries a service to determine the external IP address’”.
  • [T1082] System Information Discovery – Transmits version, machine username, and OS version. “‘transmits its version (XWorm V3.1), the machine’s username, the operating system version’”.
  • [T1102] Bidirectional Communication – Communicates through Telegram. “‘Communicates through Telegram’”.
  • [T1047] Windows Management Instrumentation – Virtualization detection using the WMI query. “‘Virtualization detection using the WMI query “Select * from Win32_ComputerSystem”’”.
  • [T1027] Command Obfuscation – Obfuscates the executable. “‘all the program’s members were subjected to obfuscation’”.
  • [T1027] Embedded Payloads – Stores information in a mutex. “‘Stores information in a mutex’”.
  • [T1090] Proxy – Residential Proxy feature to hide actual location. “‘Residential Proxy’ … hide your actual location and convinces the software that it’s running on a real user’s machine.’”

Indicators of Compromise

  • [File hash] MD5 – F6BB396FD836F66CD9F33CA4B0262DD7
  • [File hash] SHA1 – BFC7036E32A59AC25DB505D263B5F4CADE24C53C
  • [File hash] SHA256 – 1073FF4689CB536805D2881988B72853B029040F446AF5CED18D1BC08B2266E1
  • [Mutex] mutex value – 6144:bfIbSc83qUhcX7elbKTua9bfF/H9d9n+:bLc83q3X3u+G
  • [Domain] DNS domain – 6[.]tcp[.]eu[.]ngrok[.]io
  • [File name] USB.exe – USB.exe
  • [File name] Log file – %temp%Log.tmp
  • [Telegram token] – 6674821695:AAExQsr6_hmXk6hz7CN4kMSi9cs9y86daYM
  • [Telegram chat id] – 5865520781

Read more: https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint