XWorm RAT Utilizes New Stagers and Loaders to Overcome Defenses

XWorm highly adaptive and versatile Remote Access Trojan (RAT) continues to evolve as a favored tool among cybercriminals, particularly targeting organizations in the software supply chain and gaming sector.

Characterized by its robust suite of features including keylogging, remote desktop access, and command execution XWorm’s ongoing development and modular design make it a formidable threat that is frequently observed in sophisticated, multi-stage attack campaigns.

Multiformat Infection Chains

Recent research by the Splunk Threat Research Team (STRT) has uncovered how XWorm’s infection strategy diverges from traditional malware by cycling through a diverse set of stagers and loaders.

Rather than relying on a single infection vector, XWorm leverages file types ranging from PowerShell and VBS scripts to batch files, JavaScript, .hta, .lnk, ISO, and even Office macros.

Analysis of over 1,000 XWorm-tagged samples from Malware Bazaar highlights the prevalence of these formats, especially in phishing campaigns where cleverly disguised filenames often masquerading as invoices, receipts, and delivery notifications help lure victims into executing the payload.

Attackers frequently deploy XWorm alongside other malware such as AsyncRAT to establish a foothold, later using these tools to deliver ransomware such as LockBit Black.

This layered approach, coupled with the ability to swap stagers and loaders on the fly, frustrates static analysis and enables XWorm to evade endpoint detection and sandboxing solutions.

Privilege Escalation

XWorm is particularly adept at defense evasion. Its stagers and loaders often heavily obfuscated incorporate advanced techniques like Base64/AES encryption and on-the-fly decryption in memory.

Notably, the malware attempts to bypass Windows security mechanisms by directly patching core functions like AmsiScanBuffer() (to defeat the Antimalware Scan Interface) and EtwEventWrite() (to disrupt Windows Event Tracing for Windows logging).

These actions allow XWorm to operate stealthily, bypassing both antivirus and behavioral monitoring systems.

To sustain persistence and escalate privileges, XWorm’s scripts create registry run keys and scheduled tasks that point to malicious copies of themselves in %appdata%.

These persistence mechanisms ensure the malware survives system reboots and can continue its malicious activities undisturbed.

Once established, the decrypted payload.exe launches the core XWorm RAT, which initiates information discovery routines.

It interrogates WMI namespaces to enumerate installed antivirus products, queries for device drivers and video capture hardware, and collects GPU details via the Win32_VideoController() class.

XWorm further fortifies its presence by abusing Microsoft Defender exclusions—modifying registry entries so its files and processes are ignored by built-in antivirus.

Communication with the command-and-control server relies on HTTP POST requests, often using distinctive User-Agent strings to blend in or evade casual inspection.

The RAT processes a wide range of backdoor commands, including file downloads, system shutdown, DDoS initiation, and more giving threat actors remote, granular control over compromised endpoints.

Infection chains may also involve spreading via removable drives using malicious shortcuts, further amplifying the threat’s reach.

The malware leverages scheduled tasks and startup folder shortcuts for persistence, ensuring long-term access to victim environments.

Splunk’s analytic story for XWorm comprises 31 distinct detections, focusing on anomalous process creation (such as suspicious PowerShell executions and renamed binaries), startup persistence, command-line tool abuse, and memory-based .NET loading a reflection of the multifaceted nature of XWorm’s defense evasion.

Indicators of Compromise

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates