XWorm is simply a comparatively caller typical of the distant entree trojan cohort that has already earned its spot among the astir persistent threats crossed the globe.
Since 2022, erstwhile it was archetypal observed by researchers, it has undergone a fig of large updates that person importantly enhanced its functionality and solidified its staying power.
The expert squad astatine ANY.RUN came crossed the newest mentation of the malware and could not garbage the accidental of taking it isolated to analyse XWorm mechanics configurations. Here is however they did it and what they found.
The XWorm sample's root
The illustration successful question was discovered successful ANY. RUN's database of malware, a repository containing elaborate investigation reports connected each files and links that person been uploaded by users of the sandbox successful nationalist mode.
A speedy look astatine the results of the investigation revealed that the illustration was initially distributed via MediaFire, a file-hosting service. The malware was packaged successful a RAR archive and protected by a password.
|Figure 1: The MediaFire leafage containing the archive download link.|
Upon execution, the menace was instantly detected by Suricata rules and identified arsenic XWorm.
|Figure 2: XWorm's postulation marked arsenic malicious by the sandbox.|
XWorm's Tactics, Techniques, and Procedures (TTPs)
The sandbox study highlighted respective techniques utilized by the sample:
|Figure 3: XWorm's activities connected the infected system.|
MITRE T1547.001: XWorm added its shortcut to the Startup directory.
MITRE T1053.005: It utilized the task scheduler to restart itself with elevated privileges, arsenic indicated by the "/RL HIGHEST" parameter.
MITRE T1074.001: The bundle was installed successful the Public directory.
MITRE T1571: The malware tried to link to a distant server, but nary effect was received.
XWorm's failed effort to evade sandbox analysis
Since the archetypal investigation study was respective days old, the squad decided to tally the illustration done the sandbox erstwhile again to cheque for caller activities.
However, aft launch, the malware crashed astir immediately. A abbreviated probe made it evident that the illustration present queried a peculiar work to find if it was moving successful a virtual sandbox.
Essentially, XWorm developers implemented an evasion technique, which caused the malicious bundle to unopen down arsenic soon arsenic it sensed a virtualized environment.
To flooded this, the squad enabled Residential Proxy successful the sandbox settings. This diagnostic replaces the virtual machine's datacenter IP code with 1 from an existent ISP, making the malware deliberation it is moving connected a existent user's machine.
|Figure 4: Residential Proxy provides IP addresses from numerous|
After rerunning the illustration with Residential Proxy enabled, XWorm was successfully executed and began its activity.Malware Analysis
Analyze This Sample and More with ANY.RUN
Sign up and get INSTANT entree to analyse this sample, and immoderate other, connected ANY.RUN. Don't miss retired connected the eventual instrumentality to recognize and combat threats.Create Free Account
On apical of that, with the assistance of the MITM proxy feature, it was imaginable to extract the accusation transmitted by XWorm to Telegram (MITRE T1102). The information included: the malware's mentation (XWorm V3.1), the machine's username, the OS version, and apt the victim's hash.
|Figure 5: XWorm collected strategy accusation (MITRE T1082).|
Static investigation of the caller XWorm variant
After gathering each the important accusation provided by the sandbox, the analysts began the static investigation signifier of their research. The archetypal measurement was to load the illustration into Detect it Easy (DIE), an manufacture modular for archetypal malware analysis. The programme rapidly determined that it was a .NET saltation of XWorm.
|Figure 6: DIE provided an penetration into the malware's compiler.|
From there, the lone logical measurement for the squad was to unfastened the record successful dnSpy, a .NET debugger, which promptly revealed that the binary was taxable to dense obfuscation. However, DIE failed to admit the packer adjacent utilizing Heuristic scanning.
|Figure 7: The XWorm's codification turned retired to beryllium obfuscated (MITRE T1027).|
Employing de4dot, a .NET deobfuscator and unpacker, besides did not person immoderate effect.
More of XWorm's evasion and persistence techniques
Further probe of the malicious binary allowed the squad to uncover further pieces of the puzzle. Specifically, a fig of other mechanics utilized by the malware were found:
Virtualization detection: XWorm utilized the WMI query "Select * from Win32_ComputerSystem" to cheque for VmWare oregon VirtualBox environments.
|Figure 8: The malware exploited Windows Management Instrumentation (MITRE T1047).|
Debugger detection: It besides ran the CheckRemoteDebuggerPresent API relation to spot if it was being debugged.
|Figure 9: Xworm attempted to evade debugger analysis.|
Sandboxie detection: The binary scanned the strategy to spot if the SbieDll.dll room was loaded.
|Figure 10: SbieDll.dll is associated with Sandboxie, a sandbox-based isolation program.|
Datacenter IP check: Xworm queried the instrumentality to find if it was hosted successful a information center.
|Figure 11: The malware's IP scanning explains the crushed down its archetypal crash.|
Persistence: XWorm utilized the registry and the task scheduler to found a persistent beingness connected the system.
|Figure 12: The codification revealed the malware's quality to modify the registry.|
Extraction of XWorm's configuration
Next, the analysts recovered a constructor that looked similar a artifact containing settings. They utilized a relation to reassign immoderate of its fields. The malware archetypal computed an MD5 hash from a worth successful the presumed settings section.
It past copied the obtained worth doubly into a impermanent array, but owed to an off-by-one error, the MD5 was not being copied wholly twice. The squad utilized the obtained array arsenic a cardinal to decrypt the incoming base64 strings utilizing AES successful ECB mode.
They besides recovered that the tract utilized was a mutex. The full process is described successful item successful ANY.RUN's blog nonfiction "XWorm: Technical Analysis of a New Malware Version."
The implicit configuration of XWorm's caller variant is arsenic follows:
|USB driblet file||USB.exe|
|Telegram chat id||5865520781|
Obtaining configurations of the latest malware is important but time-consuming. To marque it much efficient, you tin tally your samples done the ANY.RUN sandbox to entree the indispensable accusation successful seconds.