"Cybersecurity researchers have charted the evolution of XWorm malware, turning it into a versatile tool for supporting a wide range of malicious actions on compromised hosts. "XWorm's modular design is built around a core client and an array of specialized components known as plugins," Trellix researchers Niranjan Hegde and Sijo Jacob said in an analysis published last week. "These plugins are essentially additional payloads designed to carry out specific harmful actions once the core malware is active.""
"XWorm, first observed in 2022 and linked to a threat actor named EvilCoder, is a Swiss Army knife of malware that can facilitate data theft, keylogging, screen capture, persistence, and even ransomware operations. It's primarily propagated via phishing emails and bogus sites advertising malicious ScreenConnect installers. Some of the other tools advertised by the developer include a .NET-based malware builder, a remote access trojan called XBinder, and a program that can bypass User Account Control (UAC) restrictions on Windows systems."
"In a report published last month, Trellix detailed shifting XWorm infection chains that have used Windows shortcut (LNK) files distributed via phishing emails to execute PowerShell commands that drop a harmless TXT file and a deceptive executable masquerading as Discord, which then ultimately launches the malware. XWorm incorporates various anti-analysis and anti-evasion mechanisms to check for tell-tale signs of a virtualized environment, and if so, immediately cease its execution."
XWorm features a core client with modular plugins that deliver specialized payloads for data theft, keylogging, screen capture, persistence, and ransomware. The malware primarily spreads through phishing emails and deceptive sites offering malicious ScreenConnect installers, and developers also market complementary tools such as a .NET malware builder, the XBinder RAT, and a UAC bypass utility. Recent infection chains use LNK shortcuts and PowerShell to drop benign-looking files and a fake Discord executable that launches the payload. XWorm includes anti-analysis and anti-evasion checks to detect virtualization and halt execution, and it can accept remote commands to download files, open URLs, reboot systems, or initiate DDoS attacks.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]