Full Report
AhnLab SEcurity intelligence Center (ASEC) collects information on malware distributed through phishing emails by using its own “email honeypot system.” Based on this information, ASEC publishes the “Phishing Email Trend Report” and “Infostealer Trend Report” on the ASEC Blog every month. Recently, XwormRAT has been confirmed to be distributed using steganography. This malware starts […]
Analysis Summary
# Tool/Technique: XwormRAT
## Overview
XwormRAT is a remote access trojan (RAT) being distributed via phishing emails, employing steganography techniques within image files to conceal its secondary stages, including a .NET loader and the final malware payload.
## Technical Details
- Type: Malware family (RAT)
- Platform: Assumed Windows (based on VBScript, JavaScript, and PowerShell usage)
- Capabilities: Initial execution via script, downloading secondary payloads, execution via steganography in an image file, Remote Access Trojan functionality (implied by the name RAT).
- First Seen: Previously covered by ASEC, current variant being distributed recently.
## MITRE ATT&CK Mapping
Given the infection chain described, the following mappings are relevant:
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied, based on phishing email distribution)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (Via PowerShell)
- T1059.005 - Visual Basic
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.006 - Steganography (Specific technique used)
## Functionality
### Core Capabilities
- Initial delivery via phishing emails.
- Multi-stage execution starting with VBScript or JavaScript.
- Insertion of malicious scripts into legitimate code to evade detection.
- Use of a PowerShell script containing Base64-encoded data and dummy characters, requiring character removal via the `Replace()` function prior to execution.
- Download and execution of external malware components.
### Advanced Features
- **Steganography Implementation:** The malware utilizes steganography embedded within a JPG image file to hide a .NET loader and the final XwormRAT payload.
- **Past Variant:** Decoded encoding data existing between `>` and `>` strings at the end of the JPG.
- **Current Variant:** Searches for bitmap data (`0x42, 0x4d, 0x46, 0xC0 …`) appended to the JPG and extracts/decodes the R, G, and B values from the pixel data to retrieve the loader.
- Concealment of the loader execution, making it appear as if only an image file has been opened.
## Indicators of Compromise
- File Hashes:
- MD5: 0e5ff18f30be0fcb3f3d9be61e7b1eb9, 19399e8df23b0b98e1fe830e72888f34, 3cbb2ad896862aa551ee3010eee75a4a, 851460f488aca6b4da2f751f1899520e, 992fdbc2af1ef6a9ccae4f8661096f89
- File Names: (Not explicitly listed for the final payload, but common stages include VBScript/JavaScript launchers and the JPG file.)
- Registry Keys: (Not specified)
- Network Indicators:
- http[:]//paste[.]ee/d/YBaUs0Re/0
- http[:]//paste[.]ee/d/l46VcUGG/0
- https[:]//archive[.]org/download/wp4096799-lost-in-space-wallpapers_20250610/wp4096799-lost-in-space-wallpapers[.]jpg
- https[:]//pub-a06eb79f0ebe4a6999bcc71a2227d8e3[.]r2[.]dev/cunny[.]txt
- https[:]//pub-a06eb79f0ebe4a6999bcc71a2227d8e3[.]r2[.]dev/man[.]txt
- Behavioral Indicators: Execution of VBScript/JScript leading to PowerShell execution; PowerShell script using string manipulation (`Replace()`) on Base64 data; detection of file writes/execution originating from image file processing routines.
## Associated Threat Actors
- Threat actors distributing the malware samples analyzed by AhnLab SEcurity intelligence Center (ASEC). (No specific named threat group provided in context, aside from the malware's general use).
## Detection Methods
- Signature-based detection: Use provided file hashes (MD5) for known samples.
- Behavioral detection: Monitoring for scripts (VBScript/JavaScript) initiating PowerShell execution or downloading external payloads. Monitoring for unusual file processing related to image file manipulation that leads to code execution.
- YARA rules: Not explicitly provided, but rules targeting the unique patterns in the embedded PowerShell script or the specific steganography markers would be effective.
## Mitigation Strategies
- Exercise caution when opening emails and attachments from unknown or unsolicited sources.
- Implement strict email filtering policies to block suspicious file extensions or scripts.
- Employ application control to restrict the execution of PowerShell scripts from unusual locations or user contexts.
- Regularly update security solutions to detect known IOCs and behavioral anomalies associated with multi-stage droppers.
## Related Tools/Techniques
- RemcosRAT: Mentioned in relation to a past blog post discussing a similar distribution method (steganography).
- General Infostealer malware: ASEC tracks this malware via its Infostealer Trend Report, suggesting functional overlap or shared targets.