XWorm V6: Advanced Evasion and AMSI Bypass Capabilities Revealed
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A new version of XWorm malware (version 6.0) has been discovered, showcasing advanced features for persistence and evasion. The infection chain begins with a VBScript that downloads and executes a PowerShell script. This script implements an AMSI bypass by modifying CLR.DLL in memory, then downloads and loads the XWorm binary. The latest version includes the ability to run as a critical process, preventing termination without admin privileges. It also introduces new anti-analysis techniques, such as terminating on Windows XP and detecting execution in data centers or hosting providers. The malware maintains its in-memory execution and continues to employ various evasion techniques.
OPENCTI LABELS :
malware,xworm,evasion,anti-analysis,persistence,in-memory execution,amsi bypass
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
XWorm V6: Advanced Evasion and AMSI Bypass Capabilities Revealed