“`html
- Short Summary: The article discusses a phishing scam that impersonates PayPal to distribute malware. The malware, named Xworm, is delivered through a URL file that accesses a network shared folder to download an executable file. The article highlights the detection of the malware’s activities using AhnLab’s EDR system, which tracks the infiltration path and malicious behaviors of the malware.
- Key Points:
- Phishing emails often disguise malware as legitimate attachments.
- A recent phishing scam impersonated PayPal to trick users into executing malware.
- The malware is delivered via a URL file that accesses a network shared folder.
- Xworm malware performs process hollowing and self-replication.
- Malware registers itself for automatic execution on the infected system.
- Xworm can communicate with C&C servers and execute various malicious functions.
- AhnLab’s EDR system helps in detecting and analyzing malware distribution and behavior.
MITRE ATT&CK TTPs – created by AI
- Process Hollowing (T1093)
- Malware performs process hollowing targeting “RegAsm.exe”.
- Network Share Discovery (T1135)
- Malware accesses a network shared folder to download additional files.
- Command and Control (T1071)
- Xworm communicates with C&C servers for command execution.
- Persistence (T1547)
- Xworm registers itself for automatic execution upon system startup.
“`
Phishing, which is a common method used in the malware distribution phase, has been employed for a long time. Phishing emails typically include attachments disguised as invoices, estimates, tax bills, or summonses to trick recipients into running malware. A recent case confirmed by AhnLab SEcurity intelligence Center (ASEC) involves a phishing scam pretending to be PayPal, tricking recipients into executing a file disguised as an invoice.
Figure 1. A phishing mail impersonating PayPal
The downloaded compressed file contains a file named Payment_Information_842.url. The url extension represents an Internet shortcut file, which can be used to access a website or a shared folder to download additional files.
Figure 2. The downloaded compressed file
The distributed .url file uses the file scheme to access a network shared folder and subsequently download the file “Payment_Information.zip”.
Figure 3. Inside the URL file
(The IP address of the accessed URL in Figure 3 is AhnLab’s analysis system environment that is configured similarly to the threat actor’s server.)
In AhnLab’s EDR, actions carried out during the malware distribution phase are recorded, allowing for the malware’s infiltration path to be identified. The figure below shows the detection of malware being downloaded through a network shared folder. Similarly, by examining the logs recorded in EDR, it is possible to detect access to network shared folders on unknown hosts, thereby identifying the infiltration path.
Figure 4. Network shared folder connection as shown via the EDR detection diagram
(The IP address of the accessed URL in Figure 4 is AhnLab’s analysis system environment that is configured similarly to the threat actor’s server.)
Inside the zip file downloaded from the network shared folder, there is an executable file named “PayPal_Product.exe”. When the extracted file is executed, it performs process hollowing targeting “RegAsm.exe”.
Figure 5. Process hollowing as shown via the EDR detection diagram
The malware injected into the “RegAsm.exe” process is known as Xworm. It performs self-replication and registers itself for automatic execution. It copies itself to the path C:UsersPublicmicrosoft_version_0124.exe and registers this path in the registry to ensure it is executed automatically.
Figure 6. Malware replication and autorun registration path
The following figure shows how self-replication and registration to autorun is detected by EDR.
Figure 7. Self-replication and autorun registration as shown via the EDR detection diagram
Examining the internal malware code of Xworm reveals that it is capable of communicating with C&C servers and executing various functions based on received commands. These functions include file download, forced PC shutdown, command execution, DDoS attack, keylogging, and screen capturing. The decryption process also reveals Xworm’s information, as well as the addresses and port information of the connecting hosts.
Figure 8. Analysis of the malware’s features
Figure 9. Xworm information
Details regarding C2 communication can also be checked through AhnLab EDR. The figure below is a detection screen from EDR showing the Xworm-injected RegAsm.exe file making network connections to the threat actor’s sites at hxxp://continentalgames[.]top and hxxps://newsferinfo[.]com.
Figure 10. C&C server communications as detected by EDR
Through AhnLab EDR, not only can the malicious behaviors of malware be identified, but the process of malware distribution can also be understood. The malware discussed in this post performs distribution via network shared folders, and the EDR logs reveal the malware distribution process. Based on this, administrators can identify the cause of infection and the infiltration paths. Even when the systems are exposed to attacks, data can still be gathered from the targeted systems which can be used as evidence for the investigations.
Behavior Detection
Injection/EDR.Hollowing.M11934
Connection/EDR.T1048.003.M11903
File Detection
Trojan/Win.Injection.C5650961 (2024.07.02.00)
Downloader/URL.Generic (2024.07.02.00)
Source : https://asec.ahnlab.com/en/82016/