Threat Report

XWORM V6 New advanced evasion techniques and AMSI bypass capabilities revealed in XWorm version 6.0

Threat Overview

In September 2024, Netskope Threat Labs reported on the XWorm malware and its infection chain. After nearly a year of tracking this malware, they discovered a new version (version 6.0) in the wild, which introduced new features such as process protection and enhanced anti-analysis capabilities. Consistent with the previously reported infection chain, XWorm is still being executed in memory and continues to employ execution evasion techniques.

Detailed Analysis

The emergence of a new XWorm variant indicates that the malware is still under active development and likely to be used in the near future. This latest version includes additional features for maintaining persistence and evading analysis. The loader includes new Antimalware Scan Interface (AMSI)-bypass functionality using in-memory modification of CLR.DLL to avoid detection.

VBScript Dropper

XWorm 6.0 starts its infection chain through a VBScript file likely delivered via social engineering. The VBScript embeds and reconstructs another obfuscated VBScript payload at runtime. It starts with a variable array of character codes. It iterates over the array in reverse order using UBound, and each numeric value is converted to its corresponding Unicode character using VBScript’s ChrW function. These characters are then concatenated to form the actual malicious VBScript and execute it using the eval function.
The reconstructed VBScript performs the following functions:

• Removes its own Zone.Identifier Alternate Data Stream.
• Executes a PowerShell command using the Run method. The PowerShell command downloads a PowerShell script and saves it locally as “wolf-8372-4236-2751-hunter-978-ghost-9314.ps1” in the temporary files (TEMP) folder.
• Copies the running VBScript to a new file named update.vbs in both the temporary files (TEMP) folder and the Application Data (APPDATA) folder.
• Adds persistence on the victim’s device by adding the update.vbs in both the TEMP and APPDATE folder to the Run registry key.

Persistence

XWorm 6.0 achieves persistence by storing the update.vbs in both the TEMP and APPDATA folders and adding these paths to the registry run key. This differs from our previously reported XWorm sample, which relied on scheduled tasks to maintain access.
The XWorm client builder offers attackers the flexibility to select persistence methods, including the registry run key, scheduled tasks, or the startup folder, indicating that we will continue to see variants using any of these persistence methods.

AMSI Bypass through CLR.DLL Patching

The PowerShell script wolf-8372-4236-2751-hunter-978-ghost-9314.ps1 begins by implementing an Antimalware Scan Interface (AMSI) bypass by modifying the instance of the Common Language Runtime library (CLR.DLL) in memory.
It does so by retrieving system memory information and iterating through all memory regions of the current process using the GetCurrentProcess() function. It searches for CLR.DLL within these regions and looks for the string “AmsiScanBuffer”. When found, it replaces the string with null bytes. As a result, the CLR can no longer resolve the AmsiScanBuffer method, preventing it from submitting suspicious memory content to AMSI for inspection.

The attacker copied the script from a public GitHub repository, replacing some function names.

XWorm V6.0

This XWorm 6.0 sample, named Microsoft.exe, retains the same operational design as the previously reported version, with some additional improvements.
The application begins by retrieving its configuration from a base-64 encoded string. The XWorm includes a hardcoded Command and Control (C2) server. While this behavior is common among other samples, it differs from Netskope Threat Labs’ earlier reported version, which receives the C2 address through a command line argument from a PowerShell script.

XWorm Running as a Critical Process

XWorm 6.0 introduces a new technique where it runs itself as a critical process. This makes it difficult for security software to terminate the malware, as terminating a critical process can lead to system instability or crashes.
The malware achieves this by modifying its own process token to include the SeDebugPrivilege and then using the NtSetInformationProcess API with the ProcessBreakOnTermination information class.

Enhanced Anti-Analysis Capabilities

The new version of XWorm includes enhanced anti-analysis capabilities, making it more difficult for security researchers to analyze its behavior. These capabilities include:

• Checking for the presence of debugging tools and virtual machines.
• Obfuscating its code and strings to make reverse engineering more challenging.
• Using various anti-debugging techniques to detect and evade analysis tools.

Recommendations for Mitigation

Organizations can implement several measures to mitigate the threat posed by XWorm V6. These include:

• Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within the network. This can be achieved by dividing the network into smaller segments and implementing strict access controls between segments.
• Regular Updates: Keep all systems and software up to date with the latest security patches. This includes operating systems, applications, and security tools. Regular updates help to address known vulnerabilities that can be exploited by malware like XWorm.
• Intrusion Detection Systems: Deploy intrusion detection systems (IDS) to monitor network traffic for signs of malicious activity. IDS can help to detect and alert on suspicious traffic patterns, allowing organizations to respond quickly to potential threats.
• Endpoint Protection: Implement endpoint protection solutions to detect and block malware on individual devices. Endpoint protection can help to prevent the initial infection and limit the spread of malware within the network.
• Security Awareness Training: Provide regular security awareness training to employees to help them recognize and report potential security threats. This can include phishing simulations, training on recognizing suspicious emails, and best practices for password security.
• Regular Backups: Maintain regular backups of critical data to ensure that it can be restored in the event of a ransomware attack or data loss. Backups should be stored offline or in a separate network segment to prevent them from being encrypted or deleted by the malware.
• Incident Response Plan: Develop and maintain an incident response plan to ensure that the organization can respond quickly and effectively to security incidents. The plan should include steps for containing the threat, investigating the incident, and restoring affected systems.

By implementing these measures, organizations can significantly reduce the risk of falling victim to XWorm V6 and other sophisticated malware threats.