XwormRAT Resurfaces with Steganography-Powered Attack Chain

The AhnLab Security Intelligence Center (ASEC) has raised fresh concerns over the reemergence of XwormRAT, a notorious Remote Access Trojan, now being delivered through highly obfuscated phishing emails utilizing steganography—a technique of hiding malicious code within seemingly benign image files.

“Recently, XwormRAT has been confirmed to be distributed using steganography,” ASEC stated in its latest update.

The attack begins with VBScript or JavaScript attached to phishing emails. These scripts embed PowerShell code that initiates the final stage: the download and execution of the actual malware.

“The script (VBScript or JavaScript) executed for the first time adds an embedded PowerShell script to call and download the final malware,” the report explains.

The PowerShell payload contains Base64-encoded data interspersed with dummy characters to confuse static scanners. It dynamically cleans and decodes itself using the Replace() function during runtime., which is part of their ongoing Phishing Email Trend Report.

The final payload is disguised within a JPG image file—a new and evolving technique. While the image appears innocent to the user, it harbors a .NET-based loader that extracts and launches the embedded XwormRAT.

“The downloaded JPG image file… displays the screen shown… Users may simply think that the image has been opened. However, the .NET loader is secretly extracted and executed from this image file,” the ASEC team warns.

ASEC’s analysis revealed two variants of this steganographic approach:

• Old variant: Extracts Base64 strings between <<BASE64_START>> and <<BASE64_END>> at the end of a JPG.
• New variant: Searches for bitmap headers (0x42, 0x4D, 0x46, 0xC0…) and extracts RGB values directly from pixel data to reconstruct the payload.

Once executed, the malware configuration launches XwormRAT, which grants the attacker full remote access to the victim system. XwormRAT is known for:

• Keylogging
• File exfiltration
• Command execution
• System surveillance

“The steganography technique… can be used to distribute various malware, not just XwormRAT,” ASEC cautioned. “A modified version of the technique has been continuously distributed recently.”

Related Posts:

• JavaScript-Based Malware Exploits Steganography for Covert Data Theft
• Beware the Invisible Threat: Phishing Expands with QR Codes, CAPTCHAs, and Steganography
• DCRat: Sophisticated RAT Delivered via Phishing Campaign Impersonating Government Entity
• Katz Stealer: New Stealthy MaaS Steals Everything, Hides in Images, and Hijacks Discord

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy