Friday, September 13, 2024
HomeCyber Security NewsXWorm Sold Malware-as-a-service Opens Vast Hacking Opportunities

XWorm Sold Malware-as-a-service Opens Vast Hacking Opportunities

Published on

XWorm is a RAT (Remote Access Trojan), a malware-as-a-service. It was first discovered in July 2022 and is known to have originated from the ex-USSR.

The malware is capable of multiple things, such as stealing sensitive data and cryptocurrency, launching DDoS attacks, and ransomware deployment.

This malware has gone through several updates ever since its emergence in 2022, and the latest version is known to be 5.0 version as of August 2023.

- Advertisement - EHA

Several threat actors are using it for multi-stage attacks on victims. XWorm is developed in the .NET framework and can be customized with various tools. 

XWorm MaaS

For the initial phase of the attack, threat actors send a phishing email containing a malicious Word document that loads a .rtf file when opened.

This file contains an Excel sheet with macros enabled for executing a PowerShell script that downloads the XWorm malware to the victim’s system.

XWorm has several capabilities, which include encrypted communication with the C2 server, Information gathering, Account Hijacking, User activity tracking, access to the clipboard, file management, etc., 

Source: ANY RUN
Source: ANY RUN

UAC Bypass & Persistence

To bypass the UAC control in Windows systems, the malware attempts to escalate its privileges to that of an administrator, which will allow the malware to make changes without the victim’s consent. 

For persistence on the infected systems, the malware adds itself to the startup list of programs that run when the computer starts.

Additionally, the malware is also capable of terminating its execution if the malware is installed inside a sandbox environment.

Furthermore, a complete report about this malware has been published by ANY RUN and provides detailed information on the execution process, code analysis, and other information.

Indicators of Compromise

IP addresses

  • 185.179.218[.]240
  • 95.32[.]98.110
  • 91[.]107.127.116

Hashes

  • F1CD899D09E247B9206F04E519E4FD5D3A4EB7E0A47F7577141B7BF71FDD4A60
  • C7CE7B4759034BAC5F89F206D0A08F3150CB4D6257F19B0EF02FC3C316D6507D
  • 049BC312BB80264BBA937B76BE6293ADCF0FE02A0DC879247DBBB8B7B6E9C051
  • 4941D43A0D8ACD464841E158ECD7B460B1B5C203587509E49341F5817674D7E2
  • 853141ECAB59614B4BD0E5ECD204A79E5856CD2AAA8464A6084B4C1BA2960610
  • D108BD602546078F3BAD759A985C7B3DFB78C5CB0E7DB8A18B97965C74ADD758
  • 243AE09600615F482240E4AAD32FC2211FD3EB90E8C13074BC3FB6A2555B2C95
  • 36744630552440395CA6062A6A6B6634791193AFC423BD77C9EEA84F210CFB83
  • E85F1E70C671DC54747BB12FC11DCF307F027AFFE9529AD153B595F83813FD6A
  • 6FB1F9B6610F5F275A70817B8BB93D15B942AF9AB166B94E24305B6F51C5D188
  • CC45D38FA00C5AEB33BDF842166460117B5E70B0B4FCF5BB6EF9747EC0B0575F
  • 47CFC580A33A5AAA4F3CBA9DCC34DD70D30363155B80B91A70B99F9E6BF8C7FC
  • 5AE7320BD89C825ED9335FD5FF35CD53997D7DD6023818080C1F01D6CCE20527
  • C91B64D2950DE8B7AC82050BF7DFCFB482974842A0E04B5E89CAF3E7EA1CF207
  • B079DD50E4CD9788F984A1F1018984D71D03990C44FBE3089EBE0A595DA4E98A
  • 8EAACAB5FAFCC224BC92007B9DC743F854D35C3D57E4688C7699792EA3470C37
  • BFD9809A1FD4485F2590BB784D5E4CCC249F04B4E7211BC9728A0FE3C88F2B78
  • 18FC313C1C1791643F21892EB9E5D3C50E64390A9A6955560E0C411B9A450509
  • 06E3ABEED1BC98ED56D5587E9732C9D39EA41879C250DFF68CE8815953FCF7AD
  • B3BA308F3408F979F5159E3C4514CA929BF9ACF23C6C70E2051F867BDC9F150D

Domains

swezy.ddns[.]net

0.tcp.ap[.]ngrok.io

atelilian99.ddns[.]net

URLs

  • https://pastebin[.]com/raw/H3wFXmEi:<123456789>
  • https://pastebin[.]com/raw/IP:PORT:KEY
  • https://pastebin[.]com/raw/yppjG8bz
  • https://pastebin[.]com/raw/nAXieb7q
  • https://pastebin[.]com/raw/2L3vs8UY
  • https://pastebin[.]com/raw/GUtADUQ5
  • https://pastebin[.]com/raw/iVUhhYa8
  • https://pastebin[.]com/raw/Q2AUANEc
  • https://pastebin[.]com/raw/S0j6LcjH

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hacker Tricks ChatGPT to Get Details for Making Homemade Bombs

A hacker known as Amadon has reportedly managed to bypass the safety protocols of...

Citrix Workspace App Vulnerable to Privilege Escalation Attacks

Citrix released a security bulletin (CTX691485) detailing two critical vulnerabilities in the Citrix Workspace...

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign...

Hackers Exploiting Apache OFBiz RCE Vulnerability in the Wild

A critical vulnerability in the Apache OFBiz framework has been actively exploited by hackers....

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Hacker Tricks ChatGPT to Get Details for Making Homemade Bombs

A hacker known as Amadon has reportedly managed to bypass the safety protocols of...

Citrix Workspace App Vulnerable to Privilege Escalation Attacks

Citrix released a security bulletin (CTX691485) detailing two critical vulnerabilities in the Citrix Workspace...

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign...