{"id":11114,"date":"2026-03-05T04:04:21","date_gmt":"2026-03-05T04:04:21","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/05\/32766\/"},"modified":"2026-03-05T04:04:21","modified_gmt":"2026-03-05T04:04:21","slug":"32766","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/05\/32766\/","title":{"rendered":"Want More XWorm?, (Wed, Mar 4th)"},"content":{"rendered":"\n
Want More XWorm?, (Wed, Mar 4th)<\/div>\n

\t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

And another XWorm[1<\/a>] wave in the wild!\u00a0This\u00a0malware family\u00a0is not new and heavily spread\u00a0but delivery techniques always evolve and deserve to be described to show you how threat actors can be imaginative! This time, we are facing another piece of multi-technology malware.<\/p>\n

Here is a quick overview:<\/p>\n

\"\"<\/p>\n

The Javascript is a classic obfuscated one:<\/p>\n

\"\"<\/p>\n

No need to try to analyze it, just let it run in a sandbox\u00a0and see its magic. It will drop a PowerShell script in a temporary directory (\u201cC:Tempps_5uGUQcco8t5W_1772542824586.ps1\u201d).<\/i> This loader will decode (Base64 + XOR) another\u00a0payload that invokes another piece of PowerShell in memory:<\/p>\n

\"\"<\/p>\n

Because the last payload is XOR-encrypted, it is not obfuscated and easy to understand. The DLL exports a function called \u201cProcessHollowing\u201d (nice name, btw) and acts as a loader. It inject the XWorm client in the .Net compiler process\u2026<\/p>\n

Here is the extracted config:<\/p>\n

\n{\n    \"c2\": [\n        \"204[.]10[.]160[.]190:7003\"\n    ],\n    \"attr\": {\n        \"install_file\": \"USB.exe\"\n    },\n    \"keys\": [\n        {\n            \"key\": \"aes_key\",\n            \"kind\": \"aes.plain\",\n            \"value\": \"XAorWEAzx4+ic89KWd910w==\"\n        }\n    ],\n    \"rule\": \"Xworm\",\n    \"mutex\": [\n        \"Cqu1F0NxohroKG5U\"\n    ],\n    \"family\": \"xworm\",\n    \"version\": \"XWorm V6.4\"\n}<\/pre>\n
Do you recognize the C2 IP address? It’s the same as the one detected in my latest\u00a0diary![2<\/a>]<\/p>\n
And some IOC’s:<\/p>\n\n\n\n\n\n\n\n\n
File<\/th>\nSHA256<\/th>\n<\/tr>\n<\/thead>\n
Inv-4091-CBM-4091-CUSTOM-Packing_List.js<\/td>\n5140b02a05b7e8e0c0afbb459e66de4d74f79665c1d83419235ff0cdcf046e9c<\/td>\n<\/tr>\n
ps_5uGUQcco8t5W_1772542824586.ps1<\/td>\n5a3d33efaaff4ef7b7d473901bd1eec76dcd9cf638213c7d1d3b9029e2aa99a4<\/td>\n<\/tr>\n
MAD.dll<\/td>\naf3919de04454af9ed2ffa7f34e4b600b3ce24168f745dba4c372eb8bcc22a21<\/td>\n<\/tr>\n
payload.exe (XWorm)<\/td>\n58e38fffb78964300522d89396f276ae0527def8495126ff036e57f0e8d3c33b<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
[1]\u00a0https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.xworm<\/a>
\n[2]\u00a0https:\/\/isc.sans.edu\/diary\/Fake%20Fedex%20Email%20Delivers%20Donuts!\/32754<\/a><\/p>\n
Xavier Mertens (@xme)
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
 (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n
 \t

\n 
<\/BR><\/p>\n
 \t

\n
<\/BR>
\nGo to isc.sans.edu<\/a>
\n \t

\n 
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"
Want More XWorm?, (Wed, Mar 4th) And another XWorm[1] wave in the wild!\u00a0This\u00a0malware family\u00a0is not new and heavily spread\u00a0but delivery techniques always evolve and deserve to be described to show you how threat actors can be imaginative! This time, we are facing another piece of multi-technology malware. Here is a quick overview: The Javascript is […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-11114","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11114"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11114"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11114\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}