{"id":6228,"date":"2023-11-21T06:01:19","date_gmt":"2023-11-21T06:01:19","guid":{"rendered":"\/cybersecurity-blog\/?p=6228"},"modified":"2023-11-29T13:31:04","modified_gmt":"2023-11-29T13:31:04","slug":"xworm-malware-communication-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/xworm-malware-communication-analysis\/","title":{"rendered":"XWorm Malware: Exploring C&C Communication"},"content":{"rendered":"\n

In this article, our guest author Igal Lytzki (0xToxin<\/a> on Twitter) will explore and understand the dynamics occurring when a successful connection is established between the XWorm operating server and a user who has fallen victim to executing this malware. <\/p>\n\n\n\n

Throughout this article, Igal will investigate the encryption of the communication between the client and the server, uncover the methods to decrypt it, and identify the potential data and commands the server can transmit to the client. <\/p>\n\n\n\n

Let\u2019s get started! <\/p>\n\n\n\n

What is XWorm malware? <\/h2>\n\n\n\n

XWorm<\/a> is a Remote Access Trojan (RAT) malware, specifically targeting Windows operating systems. It provides the operator with an extensive array of so-called \u201cplugins\u201d designed to infect users upon successful connection. <\/p>\n\n\n\n

This malware has been active for quite a while now, a fact reflected in ANY.RUN<\/a>\u2019s weekly upload analytics they share on twitter:<\/p>\n\n\n

\n
\"\"
https:\/\/twitter.com\/ANY.RUN_app\/status\/1706184083577983354<\/a> <\/figcaption><\/figure><\/div>\n\n\n

XWorm Initial Connection <\/h2>\n\n\n\n

As previously noted, the purpose of this article is an examination of the occurrences post-establishment of a new connection by the XWorm operating server.  <\/p>\n\n\n\n

For those seeking a deep understanding of the XWorm code, such as persistence techniques and configuration extraction, read this detailed XWorm technical analysis in ANY.RUN\u2019s blog<\/a>. <\/p>\n\n\n\n

The current article is based on this ANY.RUN analysis<\/a>. Feel free to join us in real-time analysis by filtering with the Process ID 2932<\/strong>.<\/p>\n\n\n

\n
\"\"
We\u2019ll focus on a process with ID 2932 <\/figcaption><\/figure><\/div>\n\n\n

Analyzing the code of the XWorm payload, a specific class surfaces as the chief handler of the communication process with the server, termed the ClientSocket<\/strong> class in our context:<\/p>\n\n\n

\n
\"\"
ClientSocket class interface detailing server communication methods in XWorm payload <\/figcaption><\/figure><\/div>\n\n\n

On its initial run on the victim’s computer, XWorm initiates a connection to a remote server, the details of which are located in the MalConf<\/strong> section on the ANY.RUN scan: <\/p>\n\n\n

\n
\"\"
XWorm malware configuration in ANY.RUN <\/figcaption><\/figure><\/div>\n\n\n

The transmitted communication data appears as follows:<\/p>\n\n\n

\n
\"\"
Transmitted communication data <\/figcaption><\/figure><\/div>\n\n\n

Examining the code reveals that it can be splitted into two principal segments: <\/p>\n\n\n\n

    \n
  1. The data length (initial byte sequence up to the 0x00 byte) <\/li>\n<\/ol>\n\n\n\n
      \n
    1. The encrypted data <\/li>\n<\/ol>\n\n\n\n

      Illustrated in the above scenario, the data length stands at 272<\/strong> (expressed in decimal value). <\/p>\n\n\n\n

      The encryption employed is AES-ECB (without padding), and the encryption key is the MD5 hash of a configuration variable decrypted during the malware\u2019s execution. In our case it\u2019s <Guage12>.\u00a0<\/p>\n\n\n\n\n

      \n\n

      \nANY.RUN Enterprise plan at a discount\n
      \nUse promo: SANDBOXSAVER<\/span> \n<\/p>\n\n\nBook a call\n<\/a>\n<\/div>\n\n\n\n