XWorm is a RAT (Remote Access Trojan), a malware-as-a-service. It was first discovered in July 2022 and is known to have originated from the ex-USSR.
The malware is capable of multiple things, such as stealing sensitive data and cryptocurrency, launching DDoS attacks, and ransomware deployment.
This malware has gone through several updates ever since its emergence in 2022, and the latest version is known to be 5.0 version as of August 2023.
.png
)
Several threat actors are using it for multi-stage attacks on victims. XWorm is developed in the .NET framework and can be customized with various tools.
XWorm MaaS
For the initial phase of the attack, threat actors send a phishing email containing a malicious Word document that loads a .rtf file when opened.
This file contains an Excel sheet with macros enabled for executing a PowerShell script that downloads the XWorm malware to the victim’s system.
XWorm has several capabilities, which include encrypted communication with the C2 server, Information gathering, Account Hijacking, User activity tracking, access to the clipboard, file management, etc.,
UAC Bypass & Persistence
To bypass the UAC control in Windows systems, the malware attempts to escalate its privileges to that of an administrator, which will allow the malware to make changes without the victim’s consent.
For persistence on the infected systems, the malware adds itself to the startup list of programs that run when the computer starts.
Additionally, the malware is also capable of terminating its execution if the malware is installed inside a sandbox environment.
Furthermore, a complete report about this malware has been published by ANY RUN and provides detailed information on the execution process, code analysis, and other information.
Indicators of Compromise
IP addresses
- 185.179.218[.]240
- 95.32[.]98.110
- 91[.]107.127.116
Hashes
- F1CD899D09E247B9206F04E519E4FD5D3A4EB7E0A47F7577141B7BF71FDD4A60
- C7CE7B4759034BAC5F89F206D0A08F3150CB4D6257F19B0EF02FC3C316D6507D
- 049BC312BB80264BBA937B76BE6293ADCF0FE02A0DC879247DBBB8B7B6E9C051
- 4941D43A0D8ACD464841E158ECD7B460B1B5C203587509E49341F5817674D7E2
- 853141ECAB59614B4BD0E5ECD204A79E5856CD2AAA8464A6084B4C1BA2960610
- D108BD602546078F3BAD759A985C7B3DFB78C5CB0E7DB8A18B97965C74ADD758
- 243AE09600615F482240E4AAD32FC2211FD3EB90E8C13074BC3FB6A2555B2C95
- 36744630552440395CA6062A6A6B6634791193AFC423BD77C9EEA84F210CFB83
- E85F1E70C671DC54747BB12FC11DCF307F027AFFE9529AD153B595F83813FD6A
- 6FB1F9B6610F5F275A70817B8BB93D15B942AF9AB166B94E24305B6F51C5D188
- CC45D38FA00C5AEB33BDF842166460117B5E70B0B4FCF5BB6EF9747EC0B0575F
- 47CFC580A33A5AAA4F3CBA9DCC34DD70D30363155B80B91A70B99F9E6BF8C7FC
- 5AE7320BD89C825ED9335FD5FF35CD53997D7DD6023818080C1F01D6CCE20527
- C91B64D2950DE8B7AC82050BF7DFCFB482974842A0E04B5E89CAF3E7EA1CF207
- B079DD50E4CD9788F984A1F1018984D71D03990C44FBE3089EBE0A595DA4E98A
- 8EAACAB5FAFCC224BC92007B9DC743F854D35C3D57E4688C7699792EA3470C37
- BFD9809A1FD4485F2590BB784D5E4CCC249F04B4E7211BC9728A0FE3C88F2B78
- 18FC313C1C1791643F21892EB9E5D3C50E64390A9A6955560E0C411B9A450509
- 06E3ABEED1BC98ED56D5587E9732C9D39EA41879C250DFF68CE8815953FCF7AD
- B3BA308F3408F979F5159E3C4514CA929BF9ACF23C6C70E2051F867BDC9F150D
Domains
swezy.ddns[.]net
0.tcp.ap[.]ngrok.io
atelilian99.ddns[.]net
URLs
- https://pastebin[.]com/raw/H3wFXmEi:<123456789>
- https://pastebin[.]com/raw/IP:PORT:KEY
- https://pastebin[.]com/raw/yppjG8bz
- https://pastebin[.]com/raw/nAXieb7q
- https://pastebin[.]com/raw/2L3vs8UY
- https://pastebin[.]com/raw/GUtADUQ5
- https://pastebin[.]com/raw/iVUhhYa8
- https://pastebin[.]com/raw/Q2AUANEc
- https://pastebin[.]com/raw/S0j6LcjH
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.
 which is a malware-as-a-service. It was first discovered in July 2022 and is known to have originated from the ex-USSR.){kind=link}