Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,371
- Points
- 113
The use of a resident proxy by researchers made it possible to "expose" the mysterious malware.
Since its first appearance in 2022, XWorm has become one of the most annoying Remote Access Trojans (RAT). The analytical group ANY. RUN decided to conduct a detailed analysis of the latest version of this malware and shared its results.
The XWorm sample reviewed was found in the malware database of the ANY.RUN researchers. Initially, this sample was distributed through the MediaFire file hosting service, packed in a RAR archive and protected with a password.
XWorm tactics and Methods
An attempt to launch the Trojan in the sandbox revealed several key malware techniques:
Failed attempt to bypass the analysis
The new version of XWorm tried to determine if it was running in a virtual environment, and when it was detected, it stopped working. To circumvent this, analysts used the Residential Proxy feature, which "tricked" the malware by replacing the IP address with a real one from a specific country.
After restarting with the proxy enabled, XWorm was successfully launched and started its activity. First of all, the malware sent its own version, computer user name, operating system version, and hash to its operator.
Static analysis of the new XWorm variant
Research analysis showed that the considered malware was .NET-a variation of XWorm. The software was heavily obfuscated, while the use of deobfuscation tools did not produce the desired result.
Conclusion
XWorm continues to evolve, posing a serious threat in the field of cybersecurity, while in-depth investigation of the latest versions of malware is an extremely time-consuming process for any researcher.
For fast and effective analysis, experts recommend using ready-made sandboxes with configured extensive functionality and a large database of malware. This will save you energy and precious time.
Since its first appearance in 2022, XWorm has become one of the most annoying Remote Access Trojans (RAT). The analytical group ANY. RUN decided to conduct a detailed analysis of the latest version of this malware and shared its results.
The XWorm sample reviewed was found in the malware database of the ANY.RUN researchers. Initially, this sample was distributed through the MediaFire file hosting service, packed in a RAR archive and protected with a password.
XWorm tactics and Methods
An attempt to launch the Trojan in the sandbox revealed several key malware techniques:
- XWorm is installed in a public folder;
- XWorm uses the task scheduler to restart itself with elevated privileges;
- XWorm adds its own shortcut to the Windows autorun folder;
- XWorm connects to a remote server to receive commands.
Failed attempt to bypass the analysis
The new version of XWorm tried to determine if it was running in a virtual environment, and when it was detected, it stopped working. To circumvent this, analysts used the Residential Proxy feature, which "tricked" the malware by replacing the IP address with a real one from a specific country.
After restarting with the proxy enabled, XWorm was successfully launched and started its activity. First of all, the malware sent its own version, computer user name, operating system version, and hash to its operator.
Static analysis of the new XWorm variant
Research analysis showed that the considered malware was .NET-a variation of XWorm. The software was heavily obfuscated, while the use of deobfuscation tools did not produce the desired result.
Conclusion
XWorm continues to evolve, posing a serious threat in the field of cybersecurity, while in-depth investigation of the latest versions of malware is an extremely time-consuming process for any researcher.
For fast and effective analysis, experts recommend using ready-made sandboxes with configured extensive functionality and a large database of malware. This will save you energy and precious time.
