Cybersecurity researchers at Netskope Threat Labs have discovered a new version of the XWorm malware, designated as version 6.0, which introduces enhanced evasion capabilities and process protection mechanisms targeting Windows systems.
This latest variant represents a significant evolution from the previously documented version 5.6, incorporating sophisticated anti-analysis techniques that demonstrate the malware’s continued active development and refinement by threat actors.
Enhanced Infection Chain and AMSI Bypass Capabilities
The XWorm 6.0 infection begins through a VBScript file delivered via social engineering campaigns, employing a multi-stage obfuscation process that reconstructs malicious payloads at runtime.
The initial VBScript utilizes character code arrays processed in reverse order using UBound, converting numeric values to Unicode characters through VBScript’s ChrW function before concatenating and executing the payload via the eval function.
A critical advancement in this version is the implementation of Antimalware Scan Interface (AMSI) bypass functionality through in-memory modification of the Common Language Runtime library (CLR.DLL).
The PowerShell script systematically retrieves system memory information, iterates through all memory regions of the current process, and searches for the “AmsiScanBuffer” string within CLR.DLL, subsequently replacing it with null bytes.
This technique prevents the CLR from resolving the AmsiScanBuffer method, effectively blocking AMSI from inspecting suspicious memory content.
Process Protection and Advanced Anti-Analysis Features
XWorm 6.0 introduces a notable process protection mechanism by marking itself as a critical system process when executed with administrator privileges.
The malware verifies elevated permissions by checking if the current user belongs to the WindowsBuiltInRole.Administrator group (value 544), then invokes EnterDebugMode to enable SeDebugPrivilege.
This critical process designation prevents standard users from terminating the malware, and forceful termination by elevated users results in system crashes requiring reboots.
The malware incorporates multiple anti-analysis techniques, including automatic termination when detecting execution on Windows XP systems, potentially to prevent analysis in legacy sandbox environments.
Additionally, XWorm employs the IP-API service to determine if the device’s IP address originates from data centers or hosting providers, terminating execution if such infrastructure is detected.
For persistence, XWorm 6.0 modifies its approach from the scheduled task method used in version 5.6, instead copying the update.vbs file to both TEMP and APPDATA folders and adding these paths to the registry run key.
This evolution demonstrates the malware’s adaptive capabilities and suggests continued refinement of techniques to maintain long-term access to compromised systems while evading detection mechanisms.
IOCs
C4C533DDFCB014419CBD6293B94038EB5DE1854034B6B9C1A1345C4D97CDFABF
Scripts
4648ce5e4ce4b7562a7828eb81f830d33ab0484392306bc9d3559a42439c8558
9dd4902099e23c380596e7061482560866e103d2a899b84e0b6ff98c44c494e4
e73f48fe634a0c767bd596bbd068a13be7465993633fd61ccda717a474ee2db2
URL
hxxps://github[.]com/MockaPro/XX/raw/refs/heads/main/Microsoft.exe
hxxps://files.catbox[.]moe/3yb2zi.ps1
