XWorm Malware

A newly discovered XWorm malware variant poses a significant risk to Windows operating systems. This malicious software possesses many capabilities, including remote desktop control, information theft, and the ability to conduct ransomware attacks.

Consequently, Windows users must take the necessary steps to protect their systems against this dangerous threat.

XWorm is a malicious software program designed to infiltrate Windows operating systems. It has gained notoriety as one of the most frequently employed malware strains on platforms like ANY.RUN.

ANY.RUN, an interactive online sandbox for fast malware analysis, has published the results of its research into the top cyber threat trends in Q2 2023.

The service, which analyzes 14,000 suspicious files and links daily, discovered that RATs (Remote Access Trojans) and loaders further solidified their positions as the primary security concerns. RATs displayed an increase of 12.8% quarter over quarter.

Technical Analysis of a New Malware Version

According to the report shared with Cyber Security News, ANY.RUN discovered XWorm malware using dynamic sandbox analysis, static analysis, and reverse engineering techniques, shedding light on its sophisticated functionalities and evasion mechanisms.

One of the users on ANY.RUN submitted a sample downloaded from a file hosting service and encrypted within an RAR archive. Upon launch, Suricata’s network rules promptly identified it as XWorm. 

The application demonstrated features such as creating a shortcut for automatic launch, utilizing a task scheduling mechanism, and trying to connect with a distant server.

Furthermore, the software showcased a unique behavior of attempting to verify whether it’s running on a physical machine or a virtual one, thus employing anti-evasion techniques.

Obfuscation faced in the XWorm Static Analysis led the ANY.RUN team to examine the program through reverse engineering techniques.

Document
FREE Trial

Malware Hunting With Live Access To The Heart Of An Incident.

Investigate all the ANY.RUN functionality with your own settings and files. Try The Full Power Of Interactive Analysis and Detect malware quickly and efficiently.

Reverse Engineering: Additional Anti-evasion Techniques

Script that locates machine location

A query to check whether the current machine is hosted or located in a data center.

Script accessing registry

The sample also gains a foothold by utilizing the registry and the task scheduler.

Reverse Engineering: XWorm Configuration Extraction

Through reverse engineering, they discovered the malware’s configuration extraction process.

Malware Configuration

The configuration decryption involved computing an MD5 hash, copying the hash twice into an array, and utilizing it as an AES key to decrypt base64 strings. 

By extracting the malware’s configuration, we gained valuable insights into its communication, behavior, and persistence mechanism, says ANY.RUN.

You can Get a 14-day free trial of ANY.RUN’s top plan for your company or security team today!