• News
  • Security
  • Products
  • About Seqrite
Blogs on Information Technology, Network & Cybersecurity | Seqrite Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Technical  /  Evolving Threats: The Adaptive Design of XWorm Malware
Evolving Threats: The Adaptive Design of XWorm Malware
25 November 2024

Evolving Threats: The Adaptive Design of XWorm Malware

Written by Rumana Siddiqui
Rumana Siddiqui
Technical

Introduction

XWorm is an evasive and flexible malware recognized for its modular design. It uses obfuscation techniques to avoid detection. It communicates with a Command and Control server and executes malicious activities. After execution, the malware decrypts its configuration settings and establishes a stealthy presence by creating a mutex to prevent multiple instances from running simultaneously. XWorm’s communication with the C2 server is encrypted with AES and that allows attackers to monitor infected systems and issue commands remotely. Additionally, it has the capability to collect and send valuable system information, manipulate DNS settings, and update itself while erasing traces from the system.

Technical Analysis

Initially, the malware sleeps for three seconds before proceeding to decrypt its configuration settings. These settings, encrypted using Base64 and AES, include details such as the Host, Port, Key, version, etc.

Fig: Decrypting configuration setting

After decrypting the configuration settings, the malware creates the mutex with name “2gdQBDwS8QGIOTWD”. If the mutex is already present, it will terminate itself. This behavior is commonly implemented to avoid conflicts and reduce the risk of detection by security tools.

Fig: Creates a mutex

 

Fig: Mutex

The malware uses a TCP socket to connect to the Command and Control (C2) server. This connection uses an IP address resolved from the C2 domain. The socket has been configured to send and receive data. To maintain an active connection, it sends a ping to the C2 server every few seconds and listens for a pong response. This ensures that commands and data can be executed and transferred without interruption with the C2 server.

Fig: C2 Connection through Socket

Once the initial connection is established, the malware collects comprehensive system information from the victim’s machine and sends it to the attacker. The gathered data includes the hostname, username, driver details, and hardware specifications such as CPU and GPU information. This information helps the attacker analyze the system and plan further malicious activities.

Fig: Collecting system Information.

The ClientSocket.Send() function that encrypts the collected data using AES encryption before sending it to the C2 server. This encryption helps secure the data during transmission, making it harder for security systems to detect or analyze the information being sent.

Fig: Sending Response with AES encryption

Once the collected data is sent, the malware calls ClientSocket.BeginReceive() and waits for a response from the C2 server. Upon receiving the response, the messages.read() function decrypts it is using AES encryption. The decrypted information is then compared to hardcoded values to determine the appropriate action to take next.Fig: Read function With AES decryption and Comparison with Hardcoded strings.

Fig: Read function With AES decryption and Comparison with Hardcoded strings.
Fig: Read function With AES decryption and Comparison with Hardcoded strings.

XWorm malware can read and modify the victim’s hosts file, enabling DNS manipulation attacks. The Hosts command allows XWorm to send a copy of the hosts file to the attacker, while the attacker can overwrite it with a modified version. After making the changes, XWorm sends a confirmation to the attacker, ensuring the operation was successful.

Fig: HostFile modification.

Xworm has the capability to update itself and remove traces from the system. If IsUpdate is true, the malware writes a file to the temp directory. It then creates a batch file that deletes the original executable and the batch file itself after execution. This helps the malware stay hidden, update itself, and remove any trace of its presence. By using the temp directory and deleting itself, the malware avoids detection and continues running on the infected system.

Fig: Update and Self deletion

It offers flexibility by allowing new functionalities to be added as plugins or existing ones to be removed. This modular structure enables attackers to customize the malware, making it adaptable to different environments.

Fig: Add and Remove Plugin

The “Plugin” command retrieves and loads content from the C2 response, which includes method names that are compared against various values, such as “ngork”, “ENC” and “DEC”. These values likely correspond to ngork installation, ransomware encryption and decryption processes.

Fig: Plugin function provides installation of ngork and enc and dec capabilities.Fig: Plugin function provides installation of ngork and enc and dec capabilities.
Fig: Plugin function provides installation of ngork and enc and dec capabilities.

Conclusion:

The XWorm malware variant employs evasive techniques to maintain persistence and control. It encrypts its configuration settings, creates a mutex to ensure only a single instance runs, and ensures continuous communication with its Command and Control server. By collecting and securely transmitting system information, XWorm provides attackers with valuable insights to tailor further attacks. These features highlight the malware’s adaptability and resilience, emphasizing the importance of strong security practices, continuous monitoring, and proactive threat detection to defend against such sophisticated threats.

IOCs:

MD5

3EEACBE10835A79077EF83C93DCF636B

0B796B2F6383FE2916F678E78666F713

Protection:

 

Trojan.Xworm.S34251703

Trojan.GenericFC.S29960909

 

MITRE ATT&CK:

Tactic Technique ID Name
Obfuscation T1027 Obfuscated Files or Information
Execution T1059.005 Command and Scripting Interpreter: Visual Basic
Screen Capture T1113 Screen Capture
Gather Victim Host Information T1592 Collects system info
Input Capture T1056 Keylogging
Defense Evasion T1055.002 Process Injection: Portable Executable Injection
Content Injection T1659 Injecting malicious code into systems
Command and Control T1071.001 Application Layer Protocol: Web Protocols

 

Author:

Vaibhav Krushna Billade

Rumana Siddiqui

 

 

 Previous PostDPDP Compliance in Healthcare: Best Practices for Protecting Pati...
Next Post  XWorm: Analyzing New Infection Tactics With Old Payload
Rumana Siddiqui

About Rumana Siddiqui

Rumana Siddiqui is working as a Senior Security Researcher in Quick Heal Security Labs. She is passionate about malware analysis, reverse engineering and exploring...

Articles by Rumana Siddiqui »

Related Posts

  • Masslogger Fileless Variant – Spreads via .VBE, Hides in Registry

    June 18, 2025
  • Security Flaws in eMagicOne Store Manager for WooCommerce in WordPress (CVE-2025-5058 and CVE-2025-4603)

    June 10, 2025
  • Operation DRAGONCLONE: Chinese Telecommunication industry targeted via VELETRIX & VShell malware

    June 6, 2025
Featured Authors
  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director of Quick Heal Technologies...

    Read more..
  • Mahua Chakrabarthy
    Mahua Chakrabarthy

    A tea connoisseur who firmly believes that life is too short for dull content....

    Read more..
Topics
apt (21) BYOD (11) Cyber-attack (36) cyber-attacks (58) cyberattack (16) cyberattacks (13) Cybersecurity (326) cyber security (34) Cyber threat (33) cyber threats (48) data breach (55) data breaches (28) data loss (28) data loss prevention (34) data privacy (13) data protection (28) data security (15) DLP (49) Encryption (16) endpoint security (108) Enterprise security (17) Exploit (14) firewall (11) GDPR (12) hackers (11) malware (76) malware attack (23) malware attacks (12) MDM (26) Microsoft (15) Network security (22) Patch Management (12) phishing (27) Ransomware (67) ransomware attack (30) ransomware attacks (30) ransomware protection (14) security (12) Seqrite (35) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (17) windows (11)
Loading
Resources
  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies
About Us
  • About Seqrite
  • Leadership
  • Awards & Certifications
  • Newsroom
Archives
  • By Date
  • By Category
Loading

© 2025 Quick Heal Technologies Ltd. Cookie Policies Privacy Policies