The RAT establishes an encrypted TCP connection back to the attacker's server to receive instructions [1]. Detection and Mitigation Strategies
The attachment often contains an Excel file that exploits the older CVE-2018-0802 vulnerability to download and execute an HTA file.
The malware’s communication with its command-and-control (C2) server is secured through AES encryption, a critical feature that enables attackers to maintain persistent surveillance and issue commands remotely without detection by traditional network monitoring tools.XWorm employs Base64 and AES encryption to decrypt its configuration settings at runtime, a technique that helps the malware fly under the radar of static analysis tools.
Enable Antimalware Scan Interface (AMSI) logging to detect obfuscated script executions in PowerShell and VBScript. xworm v31 updated
Capable of launching Distributed Denial of Service attacks and functioning as basic ransomware by encrypting files. Technical Analysis of the v3.1 Update
The user interface has received a makeover, making it more intuitive and user-friendly. The new design aims to streamline navigation and make it easier for users to access the features they need.
Routes malicious traffic through the infected host to mask external command servers. The RAT establishes an encrypted TCP connection back
: Provides a virtual network computing interface for real-time visual control of the victim's screen. Keylogging
Perhaps the most concerning aspect of XWorm is its accessibility. Originally sold as a MaaS with tiered pricing, cracked versions are now widely available for free on platforms like GitHub, making sophisticated RAT capabilities available to anyone with basic computer skills. The malware’s builder interface and comprehensive documentation have lowered the barrier to entry, allowing even novice attackers to launch sophisticated campaigns.
Restrict the execution of administrative tools like vssadmin.exe and PowerShell for non-administrative users. 2. Network Monitoring Enable Antimalware Scan Interface (AMSI) logging to detect
: Features hidden RDP capabilities, allowing attackers to log in as a background user. Hidden VNC
: Log and alert on suspicious PowerShell commands, especially those modifying Windows Defender settings or using Invoke-Expression Email Filtering
: Automatically replaces cryptocurrency wallet addresses in the victim's clipboard with the attacker's address during transactions. Ransomware Module