XWorm v5.6 is being distributed via Korean webhards, masquerading as an adult game launcher, with a loader (SoundP2.muc) that installs and launches the malware. It uses a Run registry entry for persistence and injects into MsBuild.exe after downloading from C2, enabling keylogging, webcam data exfiltration, and additional payloads. #XWorm #Webhards
Keypoints
- XWorm v5.6 is distributed via webhards and can be obtained from platforms like GitHub.
- The malware is disguised as an adult game and uses a loader (SoundP2.muc) to execute the payload.
- Start.exe is the visible game launcher, but the actual malware is loaded after clicking the “Game Play!” button to bypass sandboxing.
- SoundP2.muc copies to the Windows folder and adds a Run registry entry for automatic execution (NisSrv.exe).
- The loader downloads the encrypted XWorm v5.6 and the loader from a C2 and injects XWorm into MsBuild.exe for execution.
- XWorm v5.6 performs monitoring, keylogging, exfiltration of webcam data, and downloads additional malware.
MITRE Techniques
- [T1036] Masquerading – Attackers disguise the executable as a legitimate game launcher file and run a separate loader. Quote: “Although resembling a legitimate game launcher file, the .exe file that executes the game is generated and run separately”.
- [T1204] User Execution – The malware is executed when the user presses the “Game Play!” button, implying user-driven execution to bypass sandbox. Quote: “they are executed when you press the ‘Game Play!’ button. This tactic seems to be employed to bypass the sandbox mode.”.
- [T1547.001] Registry Run Keys/Startup Folder – SoundP2.muc is copied to the Windows folder and added to the Run key for automatic execution. Quote: “Added to Registry – Path: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun – Value: Google – Value Data: C:WindowsNisSrv.exe” and “SoundP2.muc is also copied and pasted to the Windows folder and added to the registry for automatic execution.”.
- [T1055] Process Injection – The downloaded loader injects XWorm v5.6 into MsBuild.exe for execution. Quote: “the downloaded loader injects XWorm v5.6 into MsBuild.exe for execution.”.
- [T1105] Ingress Tool Transfer – SoundP2.muc downloads the encrypted XWorm v5.6 and loader from the C2. Quote: “SoundP2.muc downloads the encrypted XWorm v5.6 and loader from the C2.”.
- [T1071.001] Web Protocols – C2 communication over web protocols to fetch payloads and control. Quote: “C2s” and the listed loader/XWorm endpoints such as hxxps://groundbreakingsstyle.com/…/nacati[.]res (Loader) and hxxps://groundbreakingsstyle.com/…/a95c346e-bd42-406b-a6a4-ed808e98bf67[.]res (XWorm v5.6) and hxxps://diditaxi.kro[.]kr:1050.”
- [T1056.001] Keylogging – XWorm v5.6 performs keylogging as part of its behavior. Quote: “carrying out behaviors such as monitoring, keylogging, exfiltrating webcam data, and downloading additional malware.”.
- [T1125] Video Capture – Exfiltration of webcam data is performed by XWorm v5.6. Quote: “exfiltrating webcam data”.
Indicators of Compromise
- [File Name] – Start.exe, NisSrv.exe, SoundP2.muc
- [File Hash] – Start.exe: b8b6d0053cc3c7d9d58a19874b7807b1, SoundP2.muc: 2b7ba71d66acfabbc67099ea3b45560a
- [URL] – C2/Loader endpoints: hxxps://groundbreakingsstyle.com/wp-content/nanofolder/img-files/nacati[.]res, hxxps://groundbreakingsstyle.com/wp-content/nanofolder/img-files/a95c346e-bd42-406b-a6a4-ed808e98bf67[.]res, hxxps://diditaxi.kro[.]kr:1050
- [Domain] – groundbreakingsstyle.com, diditaxi.kro[.]kr
Read more: https://asec.ahnlab.com/en/66099/