Netskope outlines new features of XWorm v6.0 malware

The recent blog from Netskope's Threat Labs provides insights into the new features of version 6.0 of XWorm malware. This update is pertinent for IT decision-makers responsible for addressing malware threats and strengthening cybersecurity measures.

Key Findings

The latest variant of XWorm continues to be actively developed, with version 6.0 introducing enhancements for evasion and persistence. These features improve its capability to avoid detection.

A notable change in this version is a new technique for bypassing the Antimalware Scan Interface (AMSI) by modifying CLR.DLL in memory, facilitating covert operations.

VBScript Dropper

The infection process for XWorm 6.0 begins with a VBScript file likely distributed through social engineering tactics. This script reconstructs an obfuscated payload that executes malicious actions, including the retrieval of additional scripts.

The dropped VBScript executes commands to erase metadata, initiate PowerShell scripts, and modify the registry to maintain persistence.

Persistence

XWorm 6.0 ensures persistence by saving a copy in designated folders and inserting registry entries for execution at system startup. This represents a shift from earlier versions, which relied on scheduled tasks.

The client builder of the malware shows adaptability in selecting methods for sustaining access, suggesting potential variations in persistence strategies in future versions.

AMSI Bypass Through CLR.DLL Patching

A PowerShell script bypasses AMSI by altering CLR.DLL in memory, circumventing malware analysis. It modifies specific strings associated with detection to avoid scrutiny from AMSI.

XWorm V6.0

This version maintains its foundational operational framework while incorporating additional features. Notably, configuration is fetched from a base-64 encoded string, alongside the use of a static command-and-control server.

XWorm Running as a Critical Process

XWorm can classify itself as a critical process, rendering it resistant to termination by users without privileges. This is accomplished through checks for administrative rights and specific Windows privileges.

Anti-Analysis

New techniques to counteract analysis have been introduced; for example, the malware will terminate if it identifies execution in older Windows environments, potentially to evade analysis.

Netskope Detection

Netskope offers detection capabilities addressing this evolving threat through its advanced threat protection services.

Conclusions

XWorm's latest version reveals new attributes, including critical process designation and improved evasion techniques, highlighting the necessity for enhanced detection approaches. These findings may aid security professionals in identifying and managing XWorm threats within their networks.

IOCs

Indicators of Compromise (IOC) related to XWorm are available in the Netskope GitHub repository, which offers relevant scripts and IOCs.