Avira researchers analyze the Remote Access Trojan XWorm RAT, which spreads via spam email, capable of infecting people with ransomware, stealing their data and driving denial-of-service attacks
In early April 2023, during our daily hunt for malware, we noticed an unusual increase of the malware family XWorm RAT, a remote access trojan (RAT), dispersed across numerous machines, with a suspicious kill chain.
XWorm RAT spreads through spam emails which lure professionals by claiming interest in booking their services for a new project. The email says: “I am interested in a quote from you, we are looking for professional hands to work on our new project”. It comes with an infected attachment that can deliver various malicious payloads to various locations on compromised systems, and performs a wide range of operations: It has the ability to run ransomware, monitor a victim’s webcam and keyboard, steal passwords, use the remote desktop protocol (RDP) to access the infected computer remotely, launch a denial-of-service (DDoS) attack, and steal cryptocurrency user’s cash, by changing the wallet address while the transaction is being processed.
Avira detects and helps protect people from this attack, keeping them and their data safe.
Impact in the wild:
Based on our telemetry, following image shows the geographical distribution of the malware. Of the top five geolocations where this assault was discovered so far in the last 30 days, Germany was found to have been affected by more than 36% whereas Malaysia was discovered to have been affected quite similar.
Sales in dark marketplace:
We discovered while exploring the dark marketplaces for malware that “XWorm RAT builders and their numerous operations” are available for purchase at various prices posted by the threat actor “EvilCoder“
The attacker’s interface:
We were curious and wondering how the C2C server has been functioning on the attacker side. For this, we reproduced the XwWorm builder and their command line terminal. Here are some insights about Command Line Control and its list of features
- UAC Bypass
- Reverse Proxy
- Hidden RDP and VNC
- Shell control
- Clipboard and File Manager
- WebCam and Microphone
- DDoS Attacks
- Shutdown, Restart and Logoff
- Setting Blank Screen
- Password recovery
- Registry editor
During our analysis, we also found that several cracked versions of XWorm are available in the open web. For example, some of the cracked versions of XWworm packages are available on github repositories. Hence, the availability of cracked versions is a more feasible and appealing option for script kiddies to get their hands dirty.
Infection Kill Chain:
- MalSpam to PowerShell: –
The attack initially sends a spear phishing email having malicious attachment being delivered to victim. This is a first stage of attack which is the most favourite malware delivery method of an attackers since ages.
Spear Phishing mail
Analysing the docx file, we got to know that embedded link as malicious template has been executed while opening the file (CONSTRUCTION DIAGRAM 2023.docx). This technique is known as the “template injection”. The URL is linked to the server while opening the docx file. We observed that this has also become one of the most favourable delivery methods of payload by the attackers recently.
The hosted URL (shown in the image below) leads to the malicious java script file containing obfuscated content where we can see that the link redirects to another site (hosted in *.usrfile.com domain) which has the sophisticated level of encrypted PowerShell as shown below. At the time of writing, powershell has very less detection by the security vendors from VT.
Malicious Packed JS
The obfuscated java script accessing another link in order to drop the second level of powershell payload has following capabilities. These are being hex coded based on replace operation in a variable in PowerShell.
- AMSI bypass
- Turing Off windows defender
- Exclusions to the parent process, Directories, Extensions,
- MP-Preference: –
Disabling IPS, Realtime Monitoring, Script Scanning, PUA protection,
- EnableLUA property value set to 0.
- Stopping Windows Defender service
- Setting Windows Defender start up to disable.
- Creating new user for a victim’s system named 123 through net command
- Stopping Windows Defender network inspection service through net command.
- Firewall setup modifications.
The Simple AMSI bypass technique, seen in the wild, setting a $true value to the amsiInitFailed (The variable being used in a ScanContent method from AmsiUtills) variable which has been responsible for returning the results to logging – basically the technique called as AMSI logging evasion. So even if the AV signature hitting on the content where being loaded through memory, the result could be fall to AMSI_RESULT_NOT_DETECTED like below,
MpPreferences – Exclusions
Services Set/Stop, LUA, netuser/netsh
- DLL Execution from PowerShell: –
De-obfuscating the DLL in hex is achieved by loading a second layer of PowerShell through the memory to load the “$MEME2026” variable.
Compressed dll file loaded into $RNP
The Decompressed DLL’s “A.B” method includes the “C” method to process the very last layer. Payload for .Net exe
Bytes Invoking from DLL
DLL Runtime Method handle of final exe payload
The PowerShell copies itself to the starting folder to establish the persistence.
Also, the malware creates a task using schtasks called “EscanDissldo” in order to carry out its scheduled activity once every minute.
- Main EXE payload: –
During the analysis of the final payload, we observed methods that can indeed be hidden from debugger breakpoints by using the DebuggerHidden attribute.
In the figure below, we can see that the malware is using symmetric Rijndael encryption decryption mechanism.
The following table and image show the important indicators extracted from the malware which can be helpful for the classification.
We also observed that the information about the victim’s computer such as the username, machine name, operating system version, malware version, administrator rights, webcam information, screenshot, and antivirus software installed on the victim’s system is exfiltrated.
AV, Cam, Admin, etc.,
- Post Executions:
Once the connection has been made, the malware waits for its C2C server for the victim to carry out the instructions, at which point the attacker can take numerous actions like keylogging, shutdown, screen capture, update, running custom scripts, DDoS, registry edits, etc.:
Scripts, Bots, Admin Access
The malware includes AES-encrypted data that carries an instruction to carry out related operations including DDoS attacks, Clipper functionality, and many more as demonstrated in the following figures.
DDos & Clipper operations
Clipper, an operation that steals cryptocurrency by modifying the victim’s system clipboard activity and replacing the victim’s destination wallet with the attacker’s wallet. The list of crypto currencies that this clipper supports are BTC, ETH, XMR, LTC, Doge, Dash, BCash, ZCash.
Events from the mouse and keylogger were also exfiltrated.
Keyboard & Mouse positions
Once the operation has accomplished its purpose, the malware possesses a routine to terminate itself to avoid from getting the attention
HVNC module abuse:
Another noteworthy capability of malware is the usage of the HVNC module, which enables an attacker to take control of the victim computer. VNC module is selected to carry out some of the genuine remote-control activity due to remote user-grade access that VNC provides.
The malware also includes a routine that offers encryption capabilities for ransomware activities as can be observed below:
Ransom Encryption routine
- MITRE @TTACK Techniques: –
|T1059||Command & Scripting Interpreter|
|T1027, T1027.009||Obfuscated files & Info, Embedded Payloads|
|T1140||DE obfuscate/ Decode File information|
|T1497||Virtualization & Sandbox evasion|
|T1083, T1082, T1016.001||Files/ Directory/ System Info/ Network Config Discovery|
|T1036.005||Match legitimate Name|
- IOC’s: –
The malware is using some of the most effective techniques from initial spread to final payload delivery. The different layers of malware have high level of sophistication from obfuscation to disabling the security tools to avoid from security vendors detection. As the new versions of malware isare available in darkweb/dark marketplaces, it means that itthey‘res still being developed actively. The malware is rich in features to attract the cybercriminals and able to deliver tools which are more accessible, useable and raise no alarms like vnc. Such tools give them high level of access to infected systems and to carry out operations as per their feasibility. The cracked version in open web makes it more dangerous due to high level of availability even for script kiddies too.
How can be stay safe and protected from this:
- Always, it’s good to double check the sender address before responding to them.
- Check spellings of the product name/mail subject even if you thought that the mail has been sent by official product sellers.
- Always be sure Beware of opening email attachments, especially the docs, html, zip, and rar attachments. Unless you expected to receive this document and you’re sure the document is trustworthy, don’t open it.
- Avoid clicking on links in the emails you received from an unknown sender.
- Use a strong cyber safety solution such as Norton, Avast or Avira to make sure you are protected against these types of malicious behaviors.
About the Author:
Threat Analysis Engineer, Threat Protection Labs
Gurumoorthi Ramanathan is a Threat Researcher, and he has been working in the security industry for more than 4 years. He specializes in research of emerging threats, surfing in darkweb, and develop effective automation systems for threat detection and protection.