Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

XWorm

25
Global rank
6 infographic chevron month
Month rank
5
Week rank
0
IOCs

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

RAT
Type
Ex-USSR
Origin
15 July, 2022
First seen
13 December, 2024
Last seen

How to analyze XWorm with ANY.RUN

RAT
Type
Ex-USSR
Origin
15 July, 2022
First seen
13 December, 2024
Last seen

IOCs

IP addresses
45.141.26.234
154.39.0.138
147.185.221.19
193.161.193.99
85.209.11.15
87.120.116.179
154.216.18.30
82.115.223.20
147.185.221.24
69.174.100.131
94.156.177.133
87.120.120.15
5.253.246.136
167.71.56.116
87.120.113.125
45.200.148.155
104.219.239.11
38.240.48.77
112.213.116.149
94.142.238.19
Domains
jajaovh.duckdns.org
audio-clouds.gl.at.ply.gg
who-begun.gl.at.ply.gg
8.tcp.ngrok.io
18.ip.gl.ply.gg
lohoainam2008-36048.portmap.io
camp.zapto.org
vitalwerks.istmein.de
almost-judges.gl.at.ply.gg
japanese-cross.gl.at.ply.gg
24.ip.gl.ply.gg
1.tcp.sa.ngrok.io
javierrobleste19848un23io23d.ydns.eu
age-wm.gl.at.ply.gg
main-carnival.gl.at.ply.gg
make-bios.gl.at.ply.gg
19.ip.gl.ply.gg
enter-vista.gl.at.ply.gg
phone-montreal.gl.at.ply.gg
rather-reputation.gl.at.ply.gg
URLs
https://pastebin.com/raw/BE5x0K3q:<123456789>
https://pastebin.com/raw/Ube8Y54C:<123456789>
https://pastebin.com/raw/7JNY0k2d:<123456789>
https://pastebin.com/raw/7jqELnuS:<123456789>
https://pastebin.com/raw/erNS5DCf:<123456789>
https://pastebin.com/raw/5FinF5Mf:<123456789>
https://pastebin.com/raw/R2PirDPT:<123456789>
https://pastebin.com/raw/EiiXCJbn:<123456789>
https://pastebin.com/raw/vJmE27fr:<123456789>
https://pastebin.com/raw/RPPi3ByL:<123456789>
https://pastebin.com/raw/97vk6RM0:<45321>
https://pastebin.com/raw/TFpa0BFw:<123456789>
https://pastebin.com/raw/2zRWZhkX:<123456789>
https://pastebin.com/raw/mNLAd9Px:<123456789>
https://pastebin.com/raw/4zfDhTvN:<123456789>
https://pastebin.com/raw/zcGavZvr:<123456789>
https://pastebin.com/ZavLK9A8:12345
https://pastebin.com/raw/L3Xphr0J:201770
https://pastebin.com/raw/aebEpmvj:<123456789>
tcp://ikonik2681-35277.portmap.host:35277/
Last Seen at

Recent blog posts

post image
Access and Use ANY.RUN’s TI Feeds via MISP
watchers 269
comments 0
post image
Analysis of Nova: A Snake Keylogger Fork
watchers 1412
comments 0
post image
Manufacturing Companies Targeted with New Lum...
watchers 1848
comments 0

What is XWorm malware?

XWorm is a remote access trojan (RAT) that gives cybercriminals unauthorized access to a victim's computer. It is a modular malware, meaning that it can be customized to perform a variety of malicious tasks, such as stealing sensitive data and cryptocurrency, launching DDoS attacks, and deploying ransomware. It first came into the spotlight in July 2022 and is believed to have originated in the ex-USSR.

XWorm is sold as a malware-as-a-service (MaaS), which makes it extremely dangerous. It lowers the barrier to entry and opens hacking opportunities to more people. Since its first appearance in the global threat landscape in July 2022, XWorm has gone through several iterations. As of August 2023, the 4.2 version and the 5.0 version were the latest ones available for purchase.

Criminals use multi-stage attacks to deploy XWorm on victims’ computers. For example, an attack might start with a phishing email that contains a malicious Word document attachment. When the document is opened, it will load an .rtf file from an external link. This file will contain an Excel spreadsheet with macros that will execute a PowerShell script, which will then download XWorm onto the computer.

Technical details of the XWorm malicious software

XWorm is developed with the .NET Framework, which makes it a significant threat to Windows systems. The malware is also configurable, offering a wide range of tools for manipulating the infected machine.

Here are some of XWorm’s key capabilities:

  • Encrypted connection: XWorm is capable of maintaining a secure connection with its C&C server, even during poor network conditions.
  • Information gathering: The malware can collect a wide range of information from the infected computer, including credit card numbers, browsing history, bookmarks, downloads, as well as Firefox and Chromium passwords and cookies.
  • Account hijacking: XWorm can hack Discord, Telegram, and MetaMask accounts, as well as get hold of WiFi keys and product keys.
  • User activity tracking: The malware enables attackers to monitor the victim’s activities on their computer by logging their keystrokes, automatically saving webcam images, listening to their microphone, scanning their network connections, and viewing opened windows.
  • Clipboard access: XWorm can retrieve the information that has been copied to the clipboard and replace victims’ crypto wallet credentials with those of the attacker.
  • File management: It can gain control of a computer’s file system to transfer sensitive documents and content to its C2 or download additional malware and run it.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

In order to bypass User Account Control (UAC), XWorm attempts to get administrator permissions on the infected computer. This allows it to make changes to the system without requiring user consent. To ensure persistence, the malware adds itself to the list of programs that run automatically when the computer starts up by editing the registry.

It is also polymorphic, meaning that the malware’s code regularly transforms itself to throw detection software off course. Although XWorm has a built-in functionality to terminate its execution once it senses that it is launched in a virtualized environment, the ANY.RUN sandbox has no problem identifying the malware.

XWorm’s configuration

XWorm’s configuration

Execution process of XWorm

The malicious behavior of XWorm can be easily uncovered by uploading it to the ANY.RUN sandbox. Here is a sample of this malware on the platform.

Immediately upon execution, XWorm drops an executable file into the Startup directory (“C:\Users\admin/AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm.exe”) and into the Roaming directory (“C:\Users\admin/AppData\Roaming\XWorm.exe”).

XWorm’s process graph

XWorm’s process graph

For the latter directory, a persistent service is created using the Task Scheduler. Malware checks for an external IP, which we can bypass with ANY.RUN’s Residential Proxy feature. After this, XWorm starts sending beacons to the C&C server, waiting for commands to execute.

Read a detailed analysis of XWorm in our blog.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution methods of the XWorm malware

As with most malware families, email phishing campaigns serve as XWorm’s main gateway to victims’ computers. The attack begins with an email containing an attachment. By exploiting different social engineering techniques, threat actors can persuade a user to download the attached file and open it.

Analysts have observed several file formats used by attackers, including .rtf, .lnk, and .pdf. In most cases, the email attachment itself does not contain any macros and is used primarily to kick off a chain reaction that involves downloading several other files, executing PowerShell scripts, and finally delivering the payload.

Such attacks can be facilitated by specialized tools, such as Freeze[.]rs and SYK Crypter, which are equipped with advanced capabilities for circumventing defense systems to drop a variety of malware families including Remcos RAT, njRAT, and RedLine Stealer.

One of the most recent XWorm attacks targeted businesses in Germany. It involved sending a .docx document to victims with a name that suggested it contained hotel reservation information. Instead of using macros, the file exploited the Follina vulnerability (CVE-2022-30190) to run external malicious files and a PowerShell script, which eventually dropped XWorm.

Conclusion

XWorm retains considerable staying power due to the consistent updates and wide availability, making it a top concern for organizations around the world. To protect your system from this threat, you need to have a stricter approach towards handling any links or files arriving in your inbox from unknown senders.

Instead of downloading documents and opening URLs, you can first analyze them in the ANY.RUN sandbox to quickly understand whether the file is malicious or not. ANY.RUN also provides you with a detailed report about the malware, such as its IOCs and TTPs. This information can be used to protect your organization from future attacks.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adware screenshot
Adware
adware
Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More