Welcome to our

Cyber Security News Aggregator

.

Cyber Tzar

provide a

cyber security risk management

platform; including automated penetration tests and risk assesments culminating in a "cyber risk score" out of 1,000, just like a credit score.

2024-09-19 X-WORM RAT (Phishing) Samples

published on 2024-09-13 00:33:00 UTC by Mila
Content:

2024-09-12 0day in {REA_TEAM}: The X-Worm malware is being spread through a phishing email
by m4n0w4r


More about X-Worm: Malpedia: X-Worm Malware with wide range of capabilities ranging from RAT to ransomware.

  • Phishing Tactics: An attacker sent an email with a shortened link that, when clicked, triggered the download of a file named Itinerary.doc_.zip.
  • The downloaded .zip file contained a shortcut file (.lnk).
  • This .lnk file was used to download and run a malicious batch script (output4.bat), which employed bitsadmin to download a harmful payload, disguised as svchost.com, into the %temp% folder.
  • The svchost.com file was analyzed using tools like DiE and ExeInfo, revealing it to be part of the XWorm malware family, protected by .NET Reactor.
  • The malware's code was heavily obfuscated but was partially deobfuscated using the NETReactorSlayer tool.
  • MD5 hashing, AES encryption in ECB mode, and Base64 decoding to decrypt strings.
  • The malware’s configuration included a host (cyberdon1[.]duckdns[.]org), port (1500), and other parameters like a Telegram token and chat ID.
  • XWorm Version: The analyzed version of XWorm was 5.6.

Download
File Information
    ├── 1893afc228afedb18b743176cbd3f0e4adb31fee7982252a4dc6180a6fb83451 ZBWWHQNZII.exe 
    ├── ec7351c49098d55c332f9c5b0b4c51ffe804dd5780fc954006efcf2aeef91b7f HPFQJGRKIS.exe 
    ├── ec7e0bf7036f03786789b6cb58d01c84733fc3a865974c79edf68cba25ff9891.Itinerary.doc.zip.exe 
    └── ec7e0bf7036f03786789b6cb58d01c84733fc3a865974c79edf68cba25ff9891 ZBWWHQNZII.exe 
Malware Repo Links
    Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.

Article: 2024-09-19 X-WORM RAT (Phishing) Samples - published 2 months ago.

https://contagiodump.blogspot.com/2024/09/2024-09-19-x-worm-phishing-samples.html   
Published: 2024 09 13 00:33:00
Received: 2024 09 13 00:38:24
Feed: contagio
Source: contagio
Category: Cyber Security
Topic: Cyber Security
Views: 0

Custom HTML Block

Click to Open Code Editor