The XWorm malware family utilizes advanced obfuscation techniques and scripting languages such as VBScript, Batch, and PowerShell to create a sophisticated Remote Access Trojan (RAT). It employs multi-stage payload delivery methods and evasion tactics to avoid detection. Affected: XWorm malware, organizations using Windows operating systems
Keypoints :
- XWorm malware uses VBScript, Batch, and PowerShell scripts for modular and advanced obfuscation.
- The malware employs a multi-stage approach for payload delivery, utilizing VBS, BAT, and PS1.
- VBScript creates a batch file (WordDoc.bat) to inject PowerShell scripts and load a malicious payload.
- AMSI scanning can be disabled by the malware to avoid detection.
- PowerShell is used to manipulate memory, disable event logging, and execute malicious code without file drops.
- The malware is capable of running in memory, utilizing base64 and AES for evading detection.
- Obfuscated strings and random variables are used throughout the scripts to hinder analysis.
MITRE Techniques :
- Command and Scripting Interpreter (T1059) – Uses VBScript, Batch, and PowerShell for executing obfuscated scripts and commands.
- Obfuscated Files or Information (T1027) – Employs dynamic variable names and obfuscation to avoid detection.
- Credential Dumping (T1003) – Uses advanced memory manipulation to disable Windows event logging and conduct malicious activities undetected.
- Execution Guardrails (T1203) – Loads malicious payloads using Base64 and AES encoding to evade detection mechanisms.
Indicator of Compromise :
- [MD5] a2907290e94d10d566afaad71f0a77d2
- [SHA256] ecb6c26329c5aa711c857bb37431b6d5037b0d28818af4c033c78231d007bb40
- [IP Address] 45.138.16.211
- [MD5] da09177d362d929941b12939635446c3
- [SHA256] c2b502c8dfa3d6ae57b9414fb537b63aea0de2f0f974225dd8280b2bfe8a8353
Full Story: https://malwareanalysisspace.blogspot.com/2025/03/xworm-unmasked-weaponizing-script.html