概要
XWorm is a relatively new versatile tool that was discovered in 2022. It enables attackers to carry out a variety of functions, which include accessing sensitive information, gaining remote access, and deploying additional malware. The multifaceted nature of XWorm is appealing to threat actors, as evidenced by its alleged use earlier this year by threat actors such as NullBulge and TA558.
Through Netskope Threat Labs hunting efforts, we uncovered XWorm’s latest version in the wild. In this blog post, we will breakdown the following:
- The infection chain leading to the execution of XWorm.
- Evasive execution of XWorm’s DLL loader through reflective code loading.
- The injection of XWorm into a legitimate process.
- XWorm’s new features, which include removal of plugins and a network command that reports XWorm’s response time, along with other noteworthy commands.
- Attacker notification after infection using Telegram.
XWorm execution flow
The following is the summary of XWorm’s execution flow:
- Infection chain starts with WSF downloading and executing a PowerShell script hosted on paste.ee
- The PowerShell script performs the following actions:
A. Creates three scripts namely VsLabs.vbs, VsEnhance.bat, and VsLabsData.ps1.
B. Creates a scheduled task.
C. Sends a Telegram notification to the attacker. - Scheduled task executes the VBScript named VsLabs.vbs.
- VBScript executes a batch file named VsEnhance.bat.
- Batch file executes a PowerShell script named VsLabsData.ps1.
- The PowerShell script loads a malicious DLL through reflective code loading.
- The malicious DLL injects XWorm on a legitimate process and executes it.
XWorm dropper delivered via Windows Script File (WSF)
The infection chain starts with a Windows Script File (WSF), likely delivered through phishing. The WSF file starts with several paragraphs about the Social Security Administration through a series of commented lines. However it ends with a VBScript that downloads and executes a PowerShell script using Wscript.Shell. To avoid static detection, the command to download the PowerShell script is hex encoded and requires string concatenation.
PowerShell script analysis
The VBScript downloads a PowerShell script stored on Paste.ee, a legitimate Pastebin website. Using legitimate websites to store malicious code helps attackers fly under the defender’s radar. To avoid detection over the wire, the PowerShell script performs multiple string obfuscation, including escape characters and string concatenation. The PowerShell script creates a folder named “Visuals” on the path: “C:\ProgramData\Music\Visuals”. Afterwards, it generates PowerShell, batch and VBScripts (VsLabsData.ps1, VsEnhance.bat, and VsLabs.vbs) and stores it in the folder created.
The VBScript named VsLabs.vbs starts the execution chain by running a batch file named VsEnhance.bat using WScript.Shell. And the VsEnhance.bat executes the PowerShell script named VsLabsData.ps1.