While monitoring the distribution sources of malware in Korea, AhnLab SEcurity intelligence Center (ASEC) recently found that the XWorm v5.6 malware disguised as adult games is being distributed via webhards. Webhards and torrents are platforms commonly used for the distribution of malware in Korea.
1. Overview
Attackers normally use easily obtainable malware strains such as njRAT and UDP RAT and disguise them as normal programs including games or adult content for distribution. Similar cases were introduced in previous ASEC Blog posts multiple times as shown below.
- Remcos RAT Distributed via Webhards
- UDP RAT Malware Being Distributed via Webhards
- njRAT Being Distributed through Webhards and Torrents
- njRAT Malware Distributed via Major Korean Webhard
- Korat Backdoor Being Distributed via File Sharing Sites for Adult Content (This link is available in Korean only)
XWorm v5.6 can also be easily obtained from platforms such as GitHub.
2. Malware Analysis
Downloading and decompressing the game file yields Start.exe. Although resembling a legitimate game launcher file, the .exe file that executes the game is generated and run separately, and the malware that serves as a loader under the disguise of SoundP2.muc is also executed.
Executing Start.exe does not immediately run the malware or the game; they are executed when you press the “Game Play!” button. This tactic seems to be employed to bypass the sandbox mode. SoundP2.muc is also copied and pasted to the Windows folder and added to the registry for automatic execution.
SoundP2.Copied Path
– Folder Name: C:Windows
– Copied File Name: NisSrv.exe
Added to Registry
– Path: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
– Value: Google
– Value Data: C:WindowsNisSrv.exe
SoundP2.muc downloads the encrypted XWorm v5.6 and loader from the C2 and the downloaded loader injects XWorm v5.6 into MsBuild.exe for execution. XWorm v5.6 carries out behaviors such as monitoring, keylogging, exfiltrating webcam data, and downloading additional malware.
SoundP2.muc C2s
- hxxps://groundbreakingsstyle.com/wp-content/nanofolder/img-files/nacati[.]res (Loader)
- hxxps://groundbreakingsstyle.com/wp-content/nanofolder/img-files/a95c346e-bd42-406b-a6a4-ed808e98bf67[.]res (XWorm v5.6)
XWorm v5.6 C2
- hxxps://diditaxi.kro[.]kr:1050
As shown in the example, users need to take caution as malware strains are being distributed actively via file-sharing websites such as Korean webhards. As such, caution is advised when running executables downloaded from a file-sharing website. It is recommended that users download programs from the official websites of developers.
[File Detection]
Trojan/Win.Generic.C5621458 (2024.05.13.03)
Trojan/Win.Loader.C5622810 (2024.05.18.00)
[Behavior Detection]
Fileless/MDP.Inject.M4852 (2024.05.21.03)
[IOCs]
– Start.exe: b8b6d0053cc3c7d9d58a19874b7807b1
– SoundP2.muc: 2b7ba71d66acfabbc67099ea3b45560a
C&C Servers
– hxxps://groundbreakingsstyle.com/wp-content/nanofolder/img-files/nacati[.]res
– hxxps://groundbreakingsstyle.com/wp-content/nanofolder/img-files/a95c346e-bd42-406b-a6a4-ed808e98bf67[.]res
– hxxps://diditaxi.kro[.]kr:1050
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post XWorm v5.6 Malware Being Distributed via Webhards appeared first on ASEC BLOG.