Full Report
New versions of the XWorm backdoor are being distributed in phishing campaigns after the original developer, XCoder, abandoned the project last year. [...]
Analysis Summary
# Tool/Technique: XWorm Malware
## Overview
XWorm is a highly versatile Remote Access Trojan (RAT) that has resurfaced in new versions (6.0, 6.4, 6.5) after its original developer ceased updates. It is characterized by a modular architecture, supporting over 35 plugins that enable a wide array of malicious activities, including data theft, remote control, and increasingly, ransomware encryption capabilities.
## Technical Details
- Type: Malware family (RAT/Backdoor)
- Platform: Windows (Implied by DLLs, PowerShell usage, and specific file paths like %USERPROFILE%)
- Capabilities: Data exfiltration (browser/app credentials, crypto wallets), keystroke logging, clipboard monitoring, DDoS launching, remote shell/desktop access, file encryption (ransomware module), system information gathering, and webcam recording.
- First Seen: 2022 (Original observation)
## MITRE ATT&CK Mapping
XWorm exhibits techniques across multiple stages of the attack lifecycle:
- **Initial Access (TA0001)**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (e.g., malicious Excel files)
- T1566.002 - Spearphishing Link (via malicious JavaScript)
- T1204 - User Execution
- T1204.002 - Malicious File
- **Execution (TA0002)**
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell (Used in infection chain to deploy XWorm)
- T1218 - Signed Binary Proxy Execution
- T1218.011 - Mshta (Potential, based on general multi-stage dropper usage implied)
- **Persistence (TA0003)** / **Defense Evasion (TA0005)**
- T1547 - Boot or Logon Autostart Execution (Implied via `StartupManager.dll`)
- T1218 - Signed Binary Proxy Execution (Bypassing AMSI via PowerShell script)
- **Collection (TA0009)**
- T1005 - Data from Local System
- T1016 - System Network Configuration
- T1056 - Input Capture
- T1056.001 - Keylogging
- T1113 - Screen Capture (Webcam recording via `Webcam.dll`)
- **Command and Control (TA0011)**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Likely used for C2 communication)
- **Impact (TA0040)**
- T1486 - Data Encrypted for Impact (Ransomware module)
## Functionality
### Core Capabilities
XWorm functions primarily as a Remote Access Trojan (RAT) designed for comprehensive system compromise:
* **Data Theft:** Utilizes specialized DLLs (`Stealer.dll`, `Chromium.dll`, etc.) to extract credentials from over 35 applications, including web browsers, crypto wallets, and communication apps.
* **System Control:** Provides operators with remote shell access (`Shell.dll`) to execute arbitrary commands via hidden `cmd.exe` processes and remote desktop capabilities (`RemoteDesktop.dll`).
* **Reconnaissance:** Gathers detailed system information (`Informations.dll`), lists active TCP connections (`TCPConnections.dll`), active windows, and startup programs.
### Advanced Features
* **Modular Plugin System:** Supports over 35 plugins, allowing operators to tailor the malware’s functionality for specific objectives, including implementing new attack vectors on the fly.
* **Ransomware Module (`Ransomware.dll`):** A significant addition that allows for file encryption. It targets data in `%USERPROFILE%` and `Documents`, appends the `.ENC` extension, deletes originals, and drops an HTML ransom note. It shares code overlaps with the older `.NET`-based NoCry ransomware, using the same AES CBC algorithm for encryption.
* **Anti-Analysis Evasion:** New variants appear to have addressed prior remote code execution vulnerabilities and employ scripting techniques (JavaScript leading to PowerShell) designed to bypass defenses like the Antimalware Scan Interface (AMSI).
## Indicators of Compromise
* File Hashes: Not specified in the article.
* File Names: Uses legitimate-looking executable names (e.g., disguised as Discord) and drops `.html` ransom notes.
* Registry Keys: Not specified in the article.
* Network Indicators: Communication with C2 servers for plugin downloads and data exfiltration (specific IPs/domains defanged).
* Behavioral Indicators: Execution chain involving malicious JavaScript initiating PowerShell to deploy the payload; file encryption operations targeting user profile data; setting custom desktop wallpaper post-encryption.
## Associated Threat Actors
* Multiple threat actors have adopted cracked or modified versions of the malware since the original developer (XCoder) abandoned the project.
* A previous campaign used XWorm as a lure to infect "script kiddies," primarily targeting entities in Russia, the United States, India, Ukraine, and Turkey.
## Detection Methods
* Signature-based detection: Signatures for known XWorm samples and the associated ransomware module DLLs.
* Behavioral detection: EDR solutions should monitor for the download/execution of malicious PowerShell scripts bypassing AMSI, and the characteristic file manipulation and encryption patterns associated with the ransomware module (.ENC extension addition, original file deletion).
* YARA rules: Could be developed based on code overlaps noted with the NoCry ransomware module.
## Mitigation Strategies
* Prevention: Implement proactive email and web protections to block initial malware droppers (e.g., blocking suspicious JavaScript or LNK file execution).
* Hardening: Employ Endpoint Detection and Response (EDR) solutions capable of monitoring and responding to the malicious behavior of plugins (e.g., unusual remote desktop initiation or high volumes of file encryption).
* Network Monitoring: Monitor network traffic for C2 beaconing activity, especially communications related to downloading additional modules or the exfiltration of stolen data.
## Related Tools/Techniques
* NoCry ransomware: XWorm's ransomware module shares significant code overlap (encryption algorithm and IV generation) with this earlier .NET ransomware.
* ScreenConnect RAT: Mentioned as being modified in a campaign that also delivered XWorm.