XWorm: Analysis of Latest Version and Execution Flow

SUMMARY :

XWorm, a versatile tool discovered in 2022, enables attackers to access sensitive information, gain remote access, and deploy additional malware. The latest version's infection chain begins with a Windows Script File downloading a PowerShell script from paste.ee. This script creates multiple files, establishes persistence through a scheduled task, and notifies the attacker via Telegram. The malware employs evasive techniques, including reflective code loading of a DLL loader, which then injects XWorm into a legitimate process. New features include plugin removal and a network command reporting response time. The analysis covers the entire execution flow, from initial infection to the final payload execution, highlighting the sophisticated nature of this threat.

OPENCTI LABELS :

xworm,reflective loading,remote access,process injection,evasion techniques,infection chain,telegram notification


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


XWorm: Analysis of Latest Version and Execution Flow