XWorm: Evolving Threat – New Stagers and Loaders Outwit Security Systems

In the ever-shifting landscape of cybercrime, XWorm, a notorious remote access trojan (RAT), continues to evolve, arming threat actors with fresh tactics to bypass modern security defenses.

The Splunk Threat Research Team (STRT) has recently dissected a wave of new XWorm campaigns, revealing a sophisticated arsenal of stagers, loaders, and obfuscation techniques designed to infiltrate organizations undetected.

Sophisticated Multi-Stage Delivery Chain

Unlike many traditional malware strains that adhere to predictable infection paths, XWorm employs a diverse array of stagers and loaders, cycling through various file formats and scripting languages.

Recent attacks have leveraged a wide range of tools, including PowerShell scripts, VBS files, .NET executables, JavaScript, batch files, ISO images, VHD, IMG, and even malicious Office macros.

STRT’s analysis of 1,000 XWorm samples from Malware Bazaar highlighted the prevalence of phishing lures, with filenames themed around invoices, receipts, and shipping notifications, classic bait targeting business users.

Once clicked, these files unleash obfuscated code designed to avoid detection and analysis.

Key technical innovation lies in XWorm’s use of .hta and PowerShell stagers that download additional payloads directly from attacker-controlled command-and-control (C2) servers.

Many script-based stagers are heavily obfuscated, leveraging Base64 and AES encryption to conceal their actions and deliver follow-on malware components.

Defense Evasion and Persistence Mechanisms

Among XWorm’s most alarming features are its advanced evasion methods for defense.

The malware actively disables Windows Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), patching memory functions to bypass in-memory security scans and suppress system logs.

This allows malicious code to operate covertly, eluding both antivirus solutions and behavioral monitoring tools.

Persistence is achieved through registry run keys, scheduled tasks, and startup folder shortcuts, ensuring XWorm survives system reboots.

The analysis also reveals the RAT’s ability to replicate itself via removable drives and establish footholds for privilege escalation through scheduled tasks.

Once resident, XWorm conducts reconnaissance by querying Windows Management Instrumentation (WMI) to inventory security software, capture hardware details, and identify potential targets, such as webcams.

The RAT additionally modifies Microsoft Defender’s exclusion settings and executes PowerShell with bypassed policy settings, further evading security scrutiny.

Detection and Mitigation

To counter XWorm’s adaptations, Splunk provides a suite of analytic detections ranging from identifying suspicious child processes spawned by scripting engines to monitoring PowerShell operations indicative of cryptographic abuse or in-memory .NET assembly loading.

Given XWorm’s modularity, frequent updates, and deliberate targeting of the supply chain and gaming sectors, organizations are advised to enhance endpoint visibility, fine-tune detections for script-based stagers, and continuously educate employees about phishing threats.

IOC

SHA256	description
78b15b9b54925120b713a52a09c66674463bd689e3b01395801ef58c77651127	Bat loader
0f10d6cbaf195a7b0c9f708b7f0a225e2de29beb769bdf8d1652b682b1c4679f	Powershell script
28859e4387fefb9d1f36fdf711d1b058df5effe21d726cfe6a9a285f96db1c98	Batch script
327a98bd948262a10e37e7d0692c95e30ba41ace15fe01d8e614a9813ad9d5cf	Vb script
354d082858bfc5e24133854ff14bb2e89bc16e1b010b9d3372c8370d3144cdb9	hta