BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

XWorm

35
Global rank
6 infographic chevron month
Month rank
6 infographic chevron week
Week rank
995
IOCs

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Remote Access Trojan
Type
Ex-USSR
Origin
15 July, 2022
First seen
28 February, 2024
Last seen

How to analyze XWorm with ANY.RUN

Remote Access Trojan
Type
Ex-USSR
Origin
15 July, 2022
First seen
28 February, 2024
Last seen

IOCs

IP addresses
91.134.150.150
5.182.87.154
104.250.180.178
193.161.193.99
157.254.223.55
144.91.115.113
26.46.160.100
147.185.221.17
45.76.13.211
91.92.249.37
192.236.160.124
191.101.130.18
209.126.7.24
159.89.100.67
5.39.43.50
163.5.215.245
91.92.250.124
31.153.8.4
91.167.201.82
94.6.233.124
Hashes
a1d6f223fa3e037cea557b5b5aa79bea29060a9a323ca9974806a04ad05a3dc6
5c7c31ec183ace85f805c51b022a7c0be1034260de7b160c19a74e501c6bd593
ecbf8235d195bd9e7e7d86912b0c215c0286c616e27080851809cf0bb8a269e2
1cb62c3afd565c79a9b2366edd66321fd029f6b835378a1e287716366c3d87a1
34ab25b7e3f2dcff5965de1daf2ee6a1edd2e467cb234477e51ad01b8363cac8
99646190db62c4b872ab1e971a0f89a95d2027bfa2c24958e8c3620c3b54806f
7d32e8ea836d34e0b7a868d491d90f1dc38b2b50d2db81a1b4aacd632f6f270a
31bc692fa83c046b9fa960f488d3c47800e57036d8c4e30316b0bcc30a53ad1a
4dc48f44577f5df449e04350703b420696f3c811d3024311c9eacc250478db86
474b8c3eef5e92dfd74e699a24dd0c6fd7f00cf17fb53b6d78279533c0737061
77f2d18f5c5b53957701f053dc11760d94ccaf3ef4b53d756d9bebed4380f037
c61d26d4aac790eca20c41ca0ca07a2923fd7ba86ae34b3b7c1045058d9f04a7
239fa9368d19f3c3881458df6572426632d54b5bb94028ca43a2e01564ef2008
f6c544a29ae337fd15faf5db0fdd4e6bcf904071bd74a17f8adde498d23e9371
fa3bb0c6ecf1b0ed5b47a33754687a07656fdd438b974ac8aa5a0f086572eea2
e010c2f4a5bbf9213565f6c452ad6e05d3a9a272fb45560b8314d66f3351aa9c
7e34c300e478b8cd1c0da9e3ab70496bf6de37dcf95f41386ccbda7fa4d51055
e641bfb8e7906e06174cc2907ec9c00c091b095b5d7a8e1ac92ecee3c9f1b1a0
d1a69edc9033864535752193a5373bed87133f7aba9a11a74b1ff2fb0c4e80cf
3af819ebff60f552293ffb00200a01084500ef9f8df63a30856ef1edece5f6b0
Domains
0.tcp.eu.ngrok.io
license-donna.at.ply.gg
febxworm39090.duckdns.org
0.tcp.sa.ngrok.io
18.ip.gl.ply.gg
wrfegvfdsefme.con-ip.com
jul-carnival.gl.at.ply.gg
17.ip.gl.ply.gg
7.tcp.eu.ngrok.io
canadian-perspectives.gl.at.ply.gg
amz-worm.ddns.net
4.tcp.eu.ngrok.io
0.tcp.ap.ngrok.io
yapapapa.duckdns.org
2.tcp.eu.ngrok.io
rayanfrfr-27828.portmap.io
5.tcp.eu.ngrok.io
minimum-characterization.at.ply.gg
driver-computational.at.ply.gg
zafar12.duckdns.org
URLs
https://pastebin.com/raw/H3wFXmEi:<123456789>
https://pastebin.com/raw/k8J6kC4f:<123456789>
https://pastebin.com/raw/cc2XUtcH:<18391751917242901>
https://pastebin.com/raw/iTFsRfJn:180508
https://pastebin.com/raw/aj6A2kvb:<123456789>
https://pastebin.com/raw/4dSAsSm4:<123456789>
https://pastebin.com/raw/gcih6bXr:<123456789>
https://pastebin.com/raw/hLC4pwwL:<123456789>
https://pastebin.com/raw/W4FE0hQC:<123456789>
https://pastebin.com/raw/EvJFpH9M:<2213>
https://pastebin.com/raw/49cE8B5s:<123456789>
https://pastebin.com/raw/PwZWpway:<123456789>
https://fast-count.000webhostapp.com/ngrok.html:123
https://pastebin.com/raw/fmLgseyE:<123456789>
https://pastebin.com/raw/vx0eP2YQ:<123456789>
https://pastebin.com/raw/ape86hZc:<123456789>
https://pastebin.com/raw/mXwT6uNv:<123456789>
https://pastebin.com/raw/dzw4WSRA:<123456789>
https://pastebin.com/raw/7eJRMKWh:<123456789>
https://pastebin.com/raw/P5kr8VDe:<123456789>
Last Seen at

Recent blog posts

post image
DCRat: Step-by-Step Analysis in ANY.RUN
watchers 881
comments 0
post image
Analyzing Linux Malware in ANY.RUN: 3 exampl...
watchers 335
comments 0
post image
What is Crypto Malware: Definition and Analys...
watchers 316
comments 0

What is XWorm malware?

XWorm is a remote access trojan (RAT) that gives cybercriminals unauthorized access to a victim's computer. It is a modular malware, meaning that it can be customized to perform a variety of malicious tasks, such as stealing sensitive data and cryptocurrency, launching DDoS attacks, and deploying ransomware. It first came into the spotlight in July 2022 and is believed to have originated in the ex-USSR.

XWorm is sold as a malware-as-a-service (MaaS), which makes it extremely dangerous. It lowers the barrier to entry and opens hacking opportunities to more people. Since its first appearance in the global threat landscape in July 2022, XWorm has gone through several iterations. As of August 2023, the 4.2 version and the 5.0 version were the latest ones available for purchase.

Criminals use multi-stage attacks to deploy XWorm on victims’ computers. For example, an attack might start with a phishing email that contains a malicious Word document attachment. When the document is opened, it will load an .rtf file from an external link. This file will contain an Excel spreadsheet with macros that will execute a PowerShell script, which will then download XWorm onto the computer.

Technical details of the XWorm malicious software

XWorm is developed with the .NET Framework, which makes it a significant threat to Windows systems. The malware is also configurable, offering a wide range of tools for manipulating the infected machine.

Here are some of XWorm’s key capabilities:

  • Encrypted connection: XWorm is capable of maintaining a secure connection with its C&C server, even during poor network conditions.
  • Information gathering: The malware can collect a wide range of information from the infected computer, including credit card numbers, browsing history, bookmarks, downloads, as well as Firefox and Chromium passwords and cookies.
  • Account hijacking: XWorm can hack Discord, Telegram, and MetaMask accounts, as well as get hold of WiFi keys and product keys.
  • User activity tracking: The malware enables attackers to monitor the victim’s activities on their computer by logging their keystrokes, automatically saving webcam images, listening to their microphone, scanning their network connections, and viewing opened windows.
  • Clipboard access: XWorm can retrieve the information that has been copied to the clipboard and replace victims’ crypto wallet credentials with those of the attacker.
  • File management: It can gain control of a computer’s file system to transfer sensitive documents and content to its C2 or download additional malware and run it.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

In order to bypass User Account Control (UAC), XWorm attempts to get administrator permissions on the infected computer. This allows it to make changes to the system without requiring user consent. To ensure persistence, the malware adds itself to the list of programs that run automatically when the computer starts up by editing the registry.

It is also polymorphic, meaning that the malware’s code regularly transforms itself to throw detection software off course. Although XWorm has a built-in functionality to terminate its execution once it senses that it is launched in a virtualized environment, the ANY.RUN sandbox has no problem identifying the malware.

XWorm’s configuration

XWorm’s configuration

Execution process of XWorm

The malicious behavior of XWorm can be easily uncovered by uploading it to the ANY.RUN sandbox. Here is a sample of this malware on the platform.

Immediately upon execution, XWorm drops an executable file into the Startup directory (“C:\Users\admin/AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm.exe”) and into the Roaming directory (“C:\Users\admin/AppData\Roaming\XWorm.exe”).

For the latter directory, a persistent service is created using the Task Scheduler. Malware checks for an external IP, which we can bypass with ANY.RUN’s Residential Proxy feature. After this, XWorm starts sending beacons to the C&C server, waiting for commands to execute.

Read a detailed analysis of XWorm in our blog.

XWorm’s process graph

XWorm’s process graph

Distribution methods of the XWorm malware

As with most malware families, email phishing campaigns serve as XWorm’s main gateway to victims’ computers. The attack begins with an email containing an attachment. By exploiting different social engineering techniques, threat actors can persuade a user to download the attached file and open it.

Analysts have observed several file formats used by attackers, including .rtf, .lnk, and .pdf. In most cases, the email attachment itself does not contain any macros and is used primarily to kick off a chain reaction that involves downloading several other files, executing PowerShell scripts, and finally delivering the payload.

Such attacks can be facilitated by specialized tools, such as Freeze[.]rs and SYK Crypter, which are equipped with advanced capabilities for circumventing defense systems to drop a variety of malware families including Remcos RAT, njRAT, and RedLine Stealer.

One of the most recent XWorm attacks targeted businesses in Germany. It involved sending a .docx document to victims with a name that suggested it contained hotel reservation information. Instead of using macros, the file exploited the Follina vulnerability (CVE-2022-30190) to run external malicious files and a PowerShell script, which eventually dropped XWorm.

Conclusion

XWorm retains considerable staying power due to the consistent updates and wide availability, making it a top concern for organizations around the world. To protect your system from this threat, you need to have a stricter approach towards handling any links or files arriving in your inbox from unknown senders.

Instead of downloading documents and opening URLs, you can first analyze them in the ANY.RUN sandbox to quickly understand whether the file is malicious or not. ANY.RUN also provides you with a detailed report about the malware, such as its IOCs and TTPs. This information can be used to protect your organization from future attacks.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy