Thursday, December 5, 2024
HomeCyber Security NewsXWorm Sold Malware-as-a-service Opens Vast Hacking Opportunities

XWorm Sold Malware-as-a-service Opens Vast Hacking Opportunities

Published on

SIEM as a Service

XWorm is a RAT (Remote Access Trojan), a malware-as-a-service. It was first discovered in July 2022 and is known to have originated from the ex-USSR.

The malware is capable of multiple things, such as stealing sensitive data and cryptocurrency, launching DDoS attacks, and ransomware deployment.

This malware has gone through several updates ever since its emergence in 2022, and the latest version is known to be 5.0 version as of August 2023.

- Advertisement - SIEM as a Service

Several threat actors are using it for multi-stage attacks on victims. XWorm is developed in the .NET framework and can be customized with various tools. 

XWorm MaaS

For the initial phase of the attack, threat actors send a phishing email containing a malicious Word document that loads a .rtf file when opened.

This file contains an Excel sheet with macros enabled for executing a PowerShell script that downloads the XWorm malware to the victim’s system.

XWorm has several capabilities, which include encrypted communication with the C2 server, Information gathering, Account Hijacking, User activity tracking, access to the clipboard, file management, etc., 

Source: ANY RUN
Source: ANY RUN

UAC Bypass & Persistence

To bypass the UAC control in Windows systems, the malware attempts to escalate its privileges to that of an administrator, which will allow the malware to make changes without the victim’s consent. 

For persistence on the infected systems, the malware adds itself to the startup list of programs that run when the computer starts.

Additionally, the malware is also capable of terminating its execution if the malware is installed inside a sandbox environment.

Furthermore, a complete report about this malware has been published by ANY RUN and provides detailed information on the execution process, code analysis, and other information.

Indicators of Compromise

IP addresses

  • 185.179.218[.]240
  • 95.32[.]98.110
  • 91[.]107.127.116

Hashes

  • F1CD899D09E247B9206F04E519E4FD5D3A4EB7E0A47F7577141B7BF71FDD4A60
  • C7CE7B4759034BAC5F89F206D0A08F3150CB4D6257F19B0EF02FC3C316D6507D
  • 049BC312BB80264BBA937B76BE6293ADCF0FE02A0DC879247DBBB8B7B6E9C051
  • 4941D43A0D8ACD464841E158ECD7B460B1B5C203587509E49341F5817674D7E2
  • 853141ECAB59614B4BD0E5ECD204A79E5856CD2AAA8464A6084B4C1BA2960610
  • D108BD602546078F3BAD759A985C7B3DFB78C5CB0E7DB8A18B97965C74ADD758
  • 243AE09600615F482240E4AAD32FC2211FD3EB90E8C13074BC3FB6A2555B2C95
  • 36744630552440395CA6062A6A6B6634791193AFC423BD77C9EEA84F210CFB83
  • E85F1E70C671DC54747BB12FC11DCF307F027AFFE9529AD153B595F83813FD6A
  • 6FB1F9B6610F5F275A70817B8BB93D15B942AF9AB166B94E24305B6F51C5D188
  • CC45D38FA00C5AEB33BDF842166460117B5E70B0B4FCF5BB6EF9747EC0B0575F
  • 47CFC580A33A5AAA4F3CBA9DCC34DD70D30363155B80B91A70B99F9E6BF8C7FC
  • 5AE7320BD89C825ED9335FD5FF35CD53997D7DD6023818080C1F01D6CCE20527
  • C91B64D2950DE8B7AC82050BF7DFCFB482974842A0E04B5E89CAF3E7EA1CF207
  • B079DD50E4CD9788F984A1F1018984D71D03990C44FBE3089EBE0A595DA4E98A
  • 8EAACAB5FAFCC224BC92007B9DC743F854D35C3D57E4688C7699792EA3470C37
  • BFD9809A1FD4485F2590BB784D5E4CCC249F04B4E7211BC9728A0FE3C88F2B78
  • 18FC313C1C1791643F21892EB9E5D3C50E64390A9A6955560E0C411B9A450509
  • 06E3ABEED1BC98ED56D5587E9732C9D39EA41879C250DFF68CE8815953FCF7AD
  • B3BA308F3408F979F5159E3C4514CA929BF9ACF23C6C70E2051F867BDC9F150D

Domains

swezy.ddns[.]net

0.tcp.ap[.]ngrok.io

atelilian99.ddns[.]net

URLs

  • https://pastebin[.]com/raw/H3wFXmEi:<123456789>
  • https://pastebin[.]com/raw/IP:PORT:KEY
  • https://pastebin[.]com/raw/yppjG8bz
  • https://pastebin[.]com/raw/nAXieb7q
  • https://pastebin[.]com/raw/2L3vs8UY
  • https://pastebin[.]com/raw/GUtADUQ5
  • https://pastebin[.]com/raw/iVUhhYa8
  • https://pastebin[.]com/raw/Q2AUANEc
  • https://pastebin[.]com/raw/S0j6LcjH

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

I-O DATA Routers Command Injection Vulnerabilities Actively Exploited in Attacks

I-O DATA DEVICE, INC. has announced that several critical vulnerabilities in their UD-LT1 and...

ChatGPT Next Web Vulnerability Let Attackers Exploit Endpoint to Perform SSRF

Researchers released a detailed report on a significant security vulnerability named CVE-2023-49785, affecting the...

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...

Deloitte UK Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

I-O DATA Routers Command Injection Vulnerabilities Actively Exploited in Attacks

I-O DATA DEVICE, INC. has announced that several critical vulnerabilities in their UD-LT1 and...

ChatGPT Next Web Vulnerability Let Attackers Exploit Endpoint to Perform SSRF

Researchers released a detailed report on a significant security vulnerability named CVE-2023-49785, affecting the...

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...