{
  "name": "XWorm: Analysis of Latest Version and Execution Flow",
  "slug": "xworm-analysis-of-latest-version-and-execution-flow",
  "description": "XWorm, a versatile tool discovered in 2022, enables attackers to access sensitive information, gain remote access, and deploy additional malware. The latest version's infection chain begins with a Windows Script File downloading a PowerShell script from paste.ee. This script creates multiple files, establishes persistence through a scheduled task, and notifies the attacker via Telegram. The malware employs evasive techniques, including reflective code loading of a DLL loader, which then injects XWorm into a legitimate process. New features include plugin removal and a network command reporting response time. The analysis covers the entire execution flow, from initial infection to the final payload execution, highlighting the sophisticated nature of this threat.",
  "published": "2024-10-03T13:16:31+00:00",
  "created_at": "2024-10-03T13:16:31+00:00",
  "modified_at": "2024-10-03T14:21:50+00:00",
  "created_at_opencti": "2024-10-03T13:16:31+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-10-03",
    "evasion techniques",
    "infection chain",
    "process injection",
    "reflective loading",
    "remote access",
    "telegram notification",
    "xworm"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "89.116.164.56"
      },
      {
        "id": "",
        "name": "http://ziadonfire.work.gd:7000"
      },
      {
        "id": "",
        "name": "ziadonfire.work.gd"
      },
      {
        "id": "",
        "name": "f1bc5fa7bfa063b32dea6371cc309821201d6122e19b793776f128c42b93957b"
      },
      {
        "id": "",
        "name": "92baa79ed1e8ccca07666968715b1d517c9e7340505112b41aadef1e7e433a1c"
      },
      {
        "id": "",
        "name": "400ca77dc7a2b32428a47355c5388ab547ab7c696386c71f3d4abb2869ba66be"
      },
      {
        "id": "",
        "name": "2c6c4cd045537e2586eab73072d790af362e37e6d4112b1d01f15574491296b8"
      },
      {
        "id": "",
        "name": "182199ae3921c4458c39003a22deb07ea40ec3c4e67d8b3efab42698aab634ec"
      }
    ],
    "malware": [
      {
        "id": "82e2ea8e-729a-4648-ba23-3a792f53fa15",
        "name": "Xworm",
        "slug": "xworm"
      }
    ],
    "attack_patterns": [
      {
        "id": "de38dd3a-41d7-4621-8a00-a32d7f0ff420",
        "name": "T1102.002"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "4d36ebe8-4925-419a-bdd5-73f6427a975d",
        "name": "T1064"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "88fa397b-4cc9-42c0-b52d-4108f9630529",
        "name": "T1095"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ]
  },
  "external_refs": [
    "https://www.netskope.com/blog/netskope-threat-labs-uncovers-new-xworms-stealthy-techniques",
    "https://otx.alienvault.com/pulse/66feb54f6a6590d6ce4e4004"
  ]
}