BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

XWorm

31
Global rank
6 infographic chevron month
Month rank
6
Week rank
1283
IOCs

XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails.

Remote Access Trojan
Type
Ex-USSR
Origin
15 July, 2022
First seen
18 June, 2024
Last seen

How to analyze XWorm with ANY.RUN

Remote Access Trojan
Type
Ex-USSR
Origin
15 July, 2022
First seen
18 June, 2024
Last seen

IOCs

IP addresses
107.175.101.198
185.91.127.220
104.250.180.178
91.92.241.69
64.226.123.178
95.142.46.3
200.9.155.204
193.161.193.99
119.59.98.116
94.23.221.180
147.185.221.20
194.107.126.34
103.179.173.200
103.166.183.24
185.200.116.219
90.211.79.231
5.39.43.50
37.150.114.247
79.110.49.133
82.147.85.135
Hashes
a00753edf4bf7be84581e5af6479f3e9dcd6f9d7c81c2a5bfcdcc97a2be60316
563b21b30c7e1322ef711b33a20d1d210e63043950f9b397096f921ae6e17c09
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
86ae8315a0886b50cde245332b33daeb57c8857e516d13a8a0ee864d03c6c543
b74fd1f2c7b3df7b56a8cbd761d0baceb35a54dfe506bd12b750d9a83ddf5bb1
85e3e177dbfa62ad1a7bb91eebac0b3c25f8d45672937e37673892fd7b0e22a8
09da9b691681e9e99855369415be051fd4ed6113117cb0008af7b4f26f65f839
50b3bc4cb3741d358c39f8a27b5ea82870a1c12c1903129b54787fa67c2ab737
6fb1f9b6610f5f275a70817b8bb93d15b942af9ab166b94e24305b6f51c5d188
b3847a788199332abbdb03cd5b71ea20e78cb548b3f8b232f7771976051b22b4
78f94f3747cd30580106750c4e616b15366ecbd00729f7c357f432aee35406f3
ed7d361424df5f61f4f9e0a589a158cb750dec76f1d97b0e396a00c41f7ce167
5ae7320bd89c825ed9335fd5ff35cd53997d7dd6023818080c1f01d6cce20527
c3ebb7d51e24f8f11306ccc6f34a3f793b0f871dd7113fb421cc8fd7cd109893
7b50344906cf26caf960d177d28b1a81f92a7a23a26289c95431e23ae506cb67
02cda252627b911029c6123d83e211312a5bba40b4afcc06d3eb40595f0baee8
2424b5e00e4a2bc63a1d41452ccc4a7064f0b8704729a7f07fbe868924f15e7d
2b6a855f9a306981e99551ae0bc87bf6abb0e4fc4c29c5f74109e2df21cae51e
1569486a1cb6bce6ea80c64ed8edeb3446f2861b901796860b20de9a441bf490
570e3c1d9ed4ed66e64808bd6394d6fb552b8a439cf219f29659de7c3464e024
Domains
modern-educators.gl.at.ply.gg
wireless-next.gl.at.ply.gg
0.tcp.eu.ngrok.io
4.tcp.eu.ngrok.io
atelilian99.ddns.net
releases-photos.at.ply.gg
4mekey.myftp.biz
wiz.bounceme.net
final-consequently.gl.at.ply.gg
estrella1221.duckdns.org
inn-ht.gl.at.ply.gg
loans-clip.gl.at.ply.gg
ergfdsvhiebviured.con-ip.com
b-details.gl.at.ply.gg
7.tcp.eu.ngrok.io
18.ip.gl.ply.gg
dwx1.duckdns.org
ivmsgauzt84tgksuw6an6cht0am8iiux0jz.duckdns.org
liveroman228-26531.portmap.host
maynewxw9402.duckdns.org
URLs
https://pastebin.com/raw/VT213gz9:<123456789>
https://pastebin.com/raw/zNCj2Utm:<123456789>
https://pastebin.com/raw/xtjcfDDS:<123456789>
https://drive.usercontent.google.com/download
https://pastebin.com/raw/pw1j2xqz:<123456789>
https://pastebin.com/raw/H3wFXmEi:<123456789>
https://raw.githubusercontent.com/43a1723/test/main/Ip:hai1723
https://pastebin.com/raw/1kNwNBjC:<123456789>
https://pastebin.com/raw/13z7YSFZ:<123456789>
https://pastebin.com/raw/aCfh8JFM:<123456789>
https://pastebin.com/raw/Xuc6dzua:<123456789>
https://pastebin.com/raw/kTrgfRNT:<123456789>
https://pastebin.com/raw/zgmeGAte:<123456789>
https://pastebin.com/raw/cXrVe9uw:<123456789>
https://pastebin.com/raw/mxJuykEA:<123456789>
https://pastebin.com/raw/1YQct0um:2001
https://pastebin.com/raw/KsJXeNMc:<123456789>
https://pastebin.com/raw/dUeg9RXC:123456789
https://pastebin.com/raw/cVQrB6DR:<123456789>
https://pastebin.com/raw/bN2vmgy2:<123456789>
Last Seen at

Recent blog posts

post image
Analyzing Malware Protected with Themida and...
watchers 171
comments 0
post image
ANY.RUN Represented at BSides Canada and Cybe...
watchers 190
comments 0
post image
Search for Malware Mutexes in ANY.RUN Threat...
watchers 341
comments 0

What is XWorm malware?

XWorm is a remote access trojan (RAT) that gives cybercriminals unauthorized access to a victim's computer. It is a modular malware, meaning that it can be customized to perform a variety of malicious tasks, such as stealing sensitive data and cryptocurrency, launching DDoS attacks, and deploying ransomware. It first came into the spotlight in July 2022 and is believed to have originated in the ex-USSR.

XWorm is sold as a malware-as-a-service (MaaS), which makes it extremely dangerous. It lowers the barrier to entry and opens hacking opportunities to more people. Since its first appearance in the global threat landscape in July 2022, XWorm has gone through several iterations. As of August 2023, the 4.2 version and the 5.0 version were the latest ones available for purchase.

Criminals use multi-stage attacks to deploy XWorm on victims’ computers. For example, an attack might start with a phishing email that contains a malicious Word document attachment. When the document is opened, it will load an .rtf file from an external link. This file will contain an Excel spreadsheet with macros that will execute a PowerShell script, which will then download XWorm onto the computer.

Technical details of the XWorm malicious software

XWorm is developed with the .NET Framework, which makes it a significant threat to Windows systems. The malware is also configurable, offering a wide range of tools for manipulating the infected machine.

Here are some of XWorm’s key capabilities:

  • Encrypted connection: XWorm is capable of maintaining a secure connection with its C&C server, even during poor network conditions.
  • Information gathering: The malware can collect a wide range of information from the infected computer, including credit card numbers, browsing history, bookmarks, downloads, as well as Firefox and Chromium passwords and cookies.
  • Account hijacking: XWorm can hack Discord, Telegram, and MetaMask accounts, as well as get hold of WiFi keys and product keys.
  • User activity tracking: The malware enables attackers to monitor the victim’s activities on their computer by logging their keystrokes, automatically saving webcam images, listening to their microphone, scanning their network connections, and viewing opened windows.
  • Clipboard access: XWorm can retrieve the information that has been copied to the clipboard and replace victims’ crypto wallet credentials with those of the attacker.
  • File management: It can gain control of a computer’s file system to transfer sensitive documents and content to its C2 or download additional malware and run it.

Get started today for free

Easily analyze emerging malware with ANY.RUN interactive online sandbox

Register for free

In order to bypass User Account Control (UAC), XWorm attempts to get administrator permissions on the infected computer. This allows it to make changes to the system without requiring user consent. To ensure persistence, the malware adds itself to the list of programs that run automatically when the computer starts up by editing the registry.

It is also polymorphic, meaning that the malware’s code regularly transforms itself to throw detection software off course. Although XWorm has a built-in functionality to terminate its execution once it senses that it is launched in a virtualized environment, the ANY.RUN sandbox has no problem identifying the malware.

XWorm’s configuration

XWorm’s configuration

Execution process of XWorm

The malicious behavior of XWorm can be easily uncovered by uploading it to the ANY.RUN sandbox. Here is a sample of this malware on the platform.

Immediately upon execution, XWorm drops an executable file into the Startup directory (“C:\Users\admin/AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm.exe”) and into the Roaming directory (“C:\Users\admin/AppData\Roaming\XWorm.exe”).

For the latter directory, a persistent service is created using the Task Scheduler. Malware checks for an external IP, which we can bypass with ANY.RUN’s Residential Proxy feature. After this, XWorm starts sending beacons to the C&C server, waiting for commands to execute.

Read a detailed analysis of XWorm in our blog.

XWorm’s process graph

XWorm’s process graph

Distribution methods of the XWorm malware

As with most malware families, email phishing campaigns serve as XWorm’s main gateway to victims’ computers. The attack begins with an email containing an attachment. By exploiting different social engineering techniques, threat actors can persuade a user to download the attached file and open it.

Analysts have observed several file formats used by attackers, including .rtf, .lnk, and .pdf. In most cases, the email attachment itself does not contain any macros and is used primarily to kick off a chain reaction that involves downloading several other files, executing PowerShell scripts, and finally delivering the payload.

Such attacks can be facilitated by specialized tools, such as Freeze[.]rs and SYK Crypter, which are equipped with advanced capabilities for circumventing defense systems to drop a variety of malware families including Remcos RAT, njRAT, and RedLine Stealer.

One of the most recent XWorm attacks targeted businesses in Germany. It involved sending a .docx document to victims with a name that suggested it contained hotel reservation information. Instead of using macros, the file exploited the Follina vulnerability (CVE-2022-30190) to run external malicious files and a PowerShell script, which eventually dropped XWorm.

Conclusion

XWorm retains considerable staying power due to the consistent updates and wide availability, making it a top concern for organizations around the world. To protect your system from this threat, you need to have a stricter approach towards handling any links or files arriving in your inbox from unknown senders.

Instead of downloading documents and opening URLs, you can first analyze them in the ANY.RUN sandbox to quickly understand whether the file is malicious or not. ANY.RUN also provides you with a detailed report about the malware, such as its IOCs and TTPs. This information can be used to protect your organization from future attacks.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy