XWorm Unveils Stealthier Techniques in Latest Malware Evolution

by do son · October 1, 2024

XWorm execution flow | Image: Netskope Threat Labs

In a recent report from Netskope Threat Labs, the ever-evolving malware XWorm has demonstrated new, stealthy techniques designed to elude detection and compromise systems more effectively. First identified in 2022, XWorm has become an attractive tool for threat actors due to its multifaceted nature, which enables attackers to carry out remote access, data exfiltration, and even the deployment of additional malware. The latest version uncovered by Netskope Threat Labs showcases XWorm’s enhanced evasive capabilities and new features that add to its already extensive arsenal.

The infection chain of XWorm remains complex yet highly effective, beginning with a Windows Script File (WSF) that likely reaches its targets through phishing. The WSF file initiates a multi-stage execution process, which eventually injects the XWorm payload into a legitimate system process, leaving minimal traces. Netskope Threat Labs’ research reveals that the WSF file, obscured by hex-encoded commands, downloads and executes a PowerShell script that initiates the infection.

The PowerShell script creates several scripts, including VsLabs.vbs and VsLabsData.ps1, designed to load the malicious XWorm DLL using a technique called reflective code loading. This allows the malware to inject itself into legitimate processes, such as RegSvcs.exe, a Microsoft-signed file, making the infection harder to detect.

One of the key highlights of the report is XWorm’s use of stealthy execution techniques. The latest version avoids storing payloads on disk, instead keeping them as hex strings embedded in the PowerShell script, making static detection considerably more difficult. These payloads are only loaded into memory, where the malicious DLL injects XWorm into the host system. This new reflective code loading method, paired with encrypted communication with command-and-control (C2) servers, allows attackers to maintain a foothold on compromised systems without triggering alarms.

Among the most notable features in this new version of XWorm is the ability to remove stored plugins, which helps clean up evidence of the attack. In addition, the malware introduces a “Pong” command, which serves as a network diagnostic tool, providing attackers with real-time response times between the infected machine and the C2 server.

To maintain persistence on the infected system, XWorm leverages a scheduled task titled “MicrosoftVisualUpdater,” ensuring that its malicious scripts continue to run every 15 minutes. Furthermore, XWorm’s reliance on legitimate services such as Telegram for attacker notifications is another sign of its developers’ adaptability. Once an infection is complete, the malware sends a notification containing the victim’s public IP address to the attacker via Telegram, flying under the radar of many conventional detection tools.

The latest XWorm version retains many of its previous features while adding new capabilities that make it even more dangerous. The malware can execute denial-of-service (DDoS) attacks, capture screenshots of the victim’s screen, and modify the system’s hosts file to manipulate DNS settings. These features, combined with its ability to execute PowerShell commands, download and run files, and manipulate system processes, make XWorm a formidable threat in the modern cyber landscape.

For more information on XWorm’s latest techniques and to access the full list of IOCs, visit Netskope Threat Labs’ GitHub repository.