EXECUTIVE SUMMARY
This malicious campaign is attributed to a threat actor using a multi-stage loader designed to deploy the XWorm Remote Access Trojan, specifically associated with the XWorm V7.4 campaign. The loader leverages multiple layers of obfuscation, staged execution and anti-analysis techniques to conceal its true functionality and evade detection by traditional security controls. The targeted sectors and regions are not explicitly mentioned, but the campaign's focus on deploying a RAT suggests a broad range of potential targets, including organizations and individuals with sensitive data. The attacker's goal is likely to gain unauthorized remote access, steal sensitive information, and potentially disrupt operations.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
This malicious campaign is attributed to a threat actor using a multi-stage loader designed to deploy the XWorm Remote Access Trojan, specifically associated with the XWorm V7.4 campaign. The loader leverages multiple layers of obfuscation, staged execution and anti-analysis techniques to conceal its true functionality and evade detection by traditional security controls. The targeted sectors and regions are not explicitly mentioned, but the campaign's focus on deploying a RAT suggests a broad range of potential targets, including organizations and individuals with sensitive data. The attacker's goal is likely to gain unauthorized remote access, steal sensitive information, and potentially disrupt operations.[emaillocker id="1283"]
The malware infection chain begins with a PyInstaller-packed executable, which unpacks into multiple embedded Python runtime components, compiled Python bytecode files, dynamic libraries and compressed archive resources. The primary malicious module performs in-memory patching of AmsiScanBuffer to weaken Microsoft AMSI-based inspection and reduce AV/EDR visibility prior to payload deployment. The loader decrypts and decompresses an embedded executable payload directly from the Python package, writes the payload into the %LOCALAPPDATA% directory, modifies file attributes to Hidden and System for stealth, and executes the payload silently in detached mode without displaying a visible console window. The deployed payload is identified as XWorm V7.4, a known RAT capable of enabling unauthorized remote access, command execution, credential theft, surveillance activities and secondary payload delivery on compromised systems.
This threat is significant for organisations as it demonstrates a high level, using multiple layers of obfuscation and anti-analysis techniques to evade detection. The malware's ability to perform in-memory patching of AMSI and execute the payload silently in detached mode makes it difficult to detect and recover from. Organisations should take defensive actions such as patching, monitoring, backups, and endpoint protection to prevent initial infection and limit the spread of the malware. Regular updates and scans of systems, as well as employee education on phishing and social engineering campaigns, can also help prevent initial infection.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Initial Access | T1189 | Drive-by Compromise | — |
| Execution | T1059.006 | Command and Scripting Interpreter | Python |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Defense Evasion | T1027.004 | Obfuscated Files or Information | Compile After Delivery |
| Defense Evasion | T1027.010 | Obfuscated Files or Information | Command Obfuscation |
| Defense Evasion | T1564.002 | Hide Artifacts | Hidden Users |
| Discovery | T1082 | System Information Discovery | — |
| Discovery | T1518.001 | Software Discovery | Security Software Discovery |
| Command and Control | T1571 | Non-Standard Port | — |
| Impact | T1499 | Endpoint Denial of Service | — |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/xworm-pyinstaller-loader-amsi-patching-defense-evasion/
https://www.pointwild.com/threat-intelligence/from-pyinstaller-to-xworm-v7-4-infection-chain-analysis/