A newly discovered XWorm malware variant poses a significant risk to Windows operating systems. This malicious software possesses many capabilities, including remote desktop control, information theft, and the ability to conduct ransomware attacks.
Consequently, Windows users must take the necessary steps to protect their systems against this dangerous threat.
XWorm is a malicious software program designed to infiltrate Windows operating systems. It has gained notoriety as one of the most frequently employed malware strains on platforms like ANY.RUN.
ANY.RUN, an interactive online sandbox for fast malware analysis, has published the results of its researchinto the top cyber threat trends in Q2 2023.
The service, which analyzes 14,000 suspicious files and links daily, discovered that RATs (Remote Access Trojans) and loaders further solidified their positions as the primary security concerns. RATs displayed an increase of 12.8% quarter over quarter.
Technical Analysis of a New Malware Version
According to the report shared with Cyber Security News, ANY.RUN discovered XWorm malware using dynamic sandbox analysis, static analysis, and reverse engineering techniques, shedding light on its sophisticated functionalities and evasion mechanisms.
One of the users on ANY.RUN submitted a sample downloaded from a file hosting service and encrypted within an RAR archive. Upon launch, Suricata’s network rules promptly identified it as XWorm.
The application demonstrated features such as creating a shortcut for automatic launch, utilizing a task scheduling mechanism, and trying to connect with a distant server.
Furthermore, the software showcased a unique behavior of attempting to verify whether it’s running on a physical machine or a virtual one, thus employing anti-evasion techniques.
Obfuscation faced in the XWorm Static Analysis led the ANY.RUN team to examine the program through reverse engineering techniques.
Through reverse engineering, they discovered the malware’s configuration extraction process.
The configuration decryption involved computing an MD5 hash, copying the hash twice into an array, and utilizing it as an AES key to decrypt base64 strings.
By extracting the malware’s configuration, we gained valuable insights into its communication, behavior, and persistence mechanism, says ANY.RUN.