Saturday, June 15, 2024

XWorm Sold Malware-as-a-service Opens Vast Hacking Opportunities

XWorm is a RAT (Remote Access Trojan), a malware-as-a-service. It was first discovered in July 2022 and is known to have originated from the ex-USSR.

The malware is capable of multiple things, such as stealing sensitive data and cryptocurrency, launching DDoS attacks, and ransomware deployment.

This malware has gone through several updates ever since its emergence in 2022, and the latest version is known to be 5.0 version as of August 2023.

Several threat actors are using it for multi-stage attacks on victims. XWorm is developed in the .NET framework and can be customized with various tools. 

XWorm MaaS

For the initial phase of the attack, threat actors send a phishing email containing a malicious Word document that loads a .rtf file when opened.

This file contains an Excel sheet with macros enabled for executing a PowerShell script that downloads the XWorm malware to the victim’s system.

XWorm has several capabilities, which include encrypted communication with the C2 server, Information gathering, Account Hijacking, User activity tracking, access to the clipboard, file management, etc., 

Source: ANY RUN
Source: ANY RUN

UAC Bypass & Persistence

To bypass the UAC control in Windows systems, the malware attempts to escalate its privileges to that of an administrator, which will allow the malware to make changes without the victim’s consent. 

For persistence on the infected systems, the malware adds itself to the startup list of programs that run when the computer starts.

Additionally, the malware is also capable of terminating its execution if the malware is installed inside a sandbox environment.

Furthermore, a complete report about this malware has been published by ANY RUN and provides detailed information on the execution process, code analysis, and other information.

Indicators of Compromise

IP addresses

  • 185.179.218[.]240
  • 95.32[.]98.110
  • 91[.]107.127.116


  • F1CD899D09E247B9206F04E519E4FD5D3A4EB7E0A47F7577141B7BF71FDD4A60
  • C7CE7B4759034BAC5F89F206D0A08F3150CB4D6257F19B0EF02FC3C316D6507D
  • 049BC312BB80264BBA937B76BE6293ADCF0FE02A0DC879247DBBB8B7B6E9C051
  • 4941D43A0D8ACD464841E158ECD7B460B1B5C203587509E49341F5817674D7E2
  • 853141ECAB59614B4BD0E5ECD204A79E5856CD2AAA8464A6084B4C1BA2960610
  • D108BD602546078F3BAD759A985C7B3DFB78C5CB0E7DB8A18B97965C74ADD758
  • 243AE09600615F482240E4AAD32FC2211FD3EB90E8C13074BC3FB6A2555B2C95
  • 36744630552440395CA6062A6A6B6634791193AFC423BD77C9EEA84F210CFB83
  • E85F1E70C671DC54747BB12FC11DCF307F027AFFE9529AD153B595F83813FD6A
  • 6FB1F9B6610F5F275A70817B8BB93D15B942AF9AB166B94E24305B6F51C5D188
  • CC45D38FA00C5AEB33BDF842166460117B5E70B0B4FCF5BB6EF9747EC0B0575F
  • 47CFC580A33A5AAA4F3CBA9DCC34DD70D30363155B80B91A70B99F9E6BF8C7FC
  • 5AE7320BD89C825ED9335FD5FF35CD53997D7DD6023818080C1F01D6CCE20527
  • C91B64D2950DE8B7AC82050BF7DFCFB482974842A0E04B5E89CAF3E7EA1CF207
  • B079DD50E4CD9788F984A1F1018984D71D03990C44FBE3089EBE0A595DA4E98A
  • 8EAACAB5FAFCC224BC92007B9DC743F854D35C3D57E4688C7699792EA3470C37
  • BFD9809A1FD4485F2590BB784D5E4CCC249F04B4E7211BC9728A0FE3C88F2B78
  • 18FC313C1C1791643F21892EB9E5D3C50E64390A9A6955560E0C411B9A450509
  • 06E3ABEED1BC98ED56D5587E9732C9D39EA41879C250DFF68CE8815953FCF7AD
  • B3BA308F3408F979F5159E3C4514CA929BF9ACF23C6C70E2051F867BDC9F150D






  • https://pastebin[.]com/raw/H3wFXmEi:<123456789>
  • https://pastebin[.]com/raw/IP:PORT:KEY
  • https://pastebin[.]com/raw/yppjG8bz
  • https://pastebin[.]com/raw/nAXieb7q
  • https://pastebin[.]com/raw/2L3vs8UY
  • https://pastebin[.]com/raw/GUtADUQ5
  • https://pastebin[.]com/raw/iVUhhYa8
  • https://pastebin[.]com/raw/Q2AUANEc
  • https://pastebin[.]com/raw/S0j6LcjH

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles