XWorm is a commodity malware that is advertised for sale on underground forums and comes with a wide range of features that allows it to siphon sensitive information from infected hosts. In addition, XWorm is versatile as it can carry out DDoS (distributed denial of service) attacks, ransomware operations, clipper functions, spread via USB, and deploy additional malware. XWorm is capable of dropping several malicious payloads at various points on the system, adding or changing registry entries, and executing commands.

Upon execution, the malware sleeps for one second and checks for mutexes, virtual machines, debuggers, emulators, sandbox environments, and Anyrun. The malware terminates itself if any of these conditions are not met. It creates an autorun entry in the registry to ensure it automatically runs whenever the system is restarted.

Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. The activity cluster, identified as MEME#4CHAN, has been observed targeting manufacturing companies and healthcare clinics in Germany, according to the researchers.

Phishing attacks are used to initiate the attack chain, where counterfeit Microsoft Word documents are employed to distribute the Follina vulnerability (CVE-2022-30190, CVSS score: 7.8) instead of macro usage. An obfuscated PowerShell script is then utilized by the threat actors to bypass Antimalware Scan Interface (AMSI), disable Microsoft Defender, establish persistence, and finally launch the .NET binary containing XWorm.

From a command-and-control standpoint, the RAT (Remote Access Trojan) offers a large number of attacker-initiated commands. Other functionality includes clipboard monitoring, command shell, DOS capabilities, disable/enable UAC (User Account Control), and the ability to throw a BSOD. In addition to these functionalities, the XWorm RAT also leverages WMI (Windows Management Instrumentation) objects to pull additional data such as antivirus information and date and time information.

References:

• https://thehackernews.com/2023/05/xworm-malware-exploits-follina.html
• https://www.scmagazine.com/brief/vulnerability-management/new-xworm-malware-attacks-involve-follina-flaw-exploitation

Related Articles