XWorm’s Shape-Shifting Arsenal: RAT Evolves to Deliver LockBit Ransomware, Evades Detection

XWorm, a name increasingly familiar in threat intelligence circles, has once again proven its status as a top-tier remote access trojan (RAT)—and a serious threat to enterprise security. In their latest deep dive, the Splunk Threat Research Team (STRT) unpacks how XWorm is used not only as a foothold for cybercriminals but also as a delivery vehicle for ransomware campaigns, including those linked to the notorious LockBit group.

“XWorm doesn’t rely on just one method to get in, it constantly changes its delivery tactics, making it tricky to detect and stop,” Splunk researchers explained.

Originally known for classic RAT functions like keylogging, remote desktop access, and data exfiltration, XWorm has evolved into a modular malware powerhouse. It’s now frequently paired with AsyncRAT and leveraged in initial-stage infections that ultimately deliver LockBit Black ransomware, using code linked to the leaked builder.

“Known for its robust feature set… XWorm continues to attract threat actors due to its ease of use, modularity, and frequent updates,” Splunk noted.

One of the most dangerous traits of XWorm is its delivery flexibility. It uses a dizzying variety of stagers and loaders, including: .vbs, .bat, .ps1, .hta, .lnk, .iso, .vhd, .img, JavaScript, Office macros, and .NET executables.

This multi-format delivery strategy helps evade detection and sandbox analysis. In fact, STRT analyzed over 1,000 XWorm samples and found phishing lures with filenames like “Invoice_2024.pdf.zip” and “Shipping_Document.hta”, crafted to exploit urgency and trust.

“These naming tactics are meant to entice unsuspecting users into opening the files, unknowingly triggering the infection chain,” Splunk wrote.

Once executed, the malware uses multiple layers of obfuscation and encryption to bypass endpoint detection systems:

• AMSI Bypass: Patches the AmsiScanBuffer() function in-memory to evade antivirus script scanning.
• ETW Tampering: Modifies the EtwEventWrite() function to suppress Windows logging.
• Process Injection: Injects shellcode into trusted processes like svchost or explorer.
• DLL Side-Loading: Attempts to hijack execution flow via a fake version.dll.
• Even if these fail, XWorm ensures it lives on through Registry Run Keys, Scheduled Tasks, and Startup Folder shortcuts.

Once XWorm gains a foothold, it doesn’t just sit idle. Its post-exploitation behavior includes:

• Security Software Discovery (T1518.001) via WMI to detect installed AV tools.
• GPU and Device Discovery to fingerprint systems, including webcam access.
• Defender Exclusion Abuse to avoid Microsoft Defender scans.

“XWorm modifies the ExclusionPath and ExclusionProcess registry entries to exclude its own directory and process,” STRT revealed.

Using HTTP POST requests with custom User-Agent strings, XWorm communicates with its C2 server to receive instructions. These may include:

• File downloads
• System shutdowns or reboots
• URL launches
• DDoS attack initiation

This makes XWorm a fully interactive backdoor, giving operators hands-on access to infected environments.

The malware even has worm-like capabilities, spreading through removable drives by creating malicious shortcuts and hiding the real payload. It can establish long-term access using both registry and scheduled task persistence methods.

To defend against this adaptive threat, Splunk shared several detection analytics:

• PowerShell Execution Policy Bypass
• DLL Side-Loading Indicators
• Suspicious Process Spawned by wscript/cscript
• Startup Folder Persistence
• Renamed PowerShell Executables

These detections are designed to “spot signs of XWorm activity in your environment and strengthen your defenses against this threat.”

Related Posts:

• XWorm Unveils Stealthier Techniques in Latest Malware Evolution
• Over 18,000 Devices Compromised in XWorm RAT Builder Campaign
• UAC-0184’s XWorm RAT Campaign Targets Ukraine with Python and DLL Sideloading
• Splunk Patches Critical Vulnerabilities, Including Remote Code Execution Flaws
• MySQL Servers Under Attack: Threat Actors Exploiting UDFs to Inject Gh0stRAT, XWorm & Zoho Agents