[QuickNote] The Xworm malware is being spread through a phishing email Published: 2024-09-12 · Archived: 2026-04-05 18:18:04 UTC 1. Techniques used to trick users into downloading malware The attacker sent an email with a shorten link to download a file: When a standard user clicks on the link provided, the browser will automatically initiate a download of the file Itinerary.doc _.zip, as illustrated in the following: Inspect the downloaded .zip file. There is a shortcut file (.lnk): Upon further inspection of the file Itinerary.doc.lnk, it was discovered that the attacker leveraged this file to download and run a malicious .bat script named output4.bat: https://kienmanowar.wordpress.com/2024/09/12/quicknote-the-xworm-malware-is-being-spread-through-a-phishing-email/ Page 1 of 5 Downloading the output4.bat file and examining it reveals that it employs bitsadmin to download a harmful payload and execute it on the target system. The downloaded file is disguised as svchost.com and saved in the %temp% folder: 2. Quick analysis of Xworm malware The downloaded svchost.com file (hash: ec7e0bf7036f03786789b6cb58d01c84733fc3a865974c79edf68cba25ff9891) was conducted using popular tools including DiE and ExeInfo to identify any potential threats. The results of this scan are presented below: As shown in the figure, this is a payload written in .NET, likely protected by the .NET Reactor protector. DiE even detected this as the XWorm malware family. Loading the file into dnSpy and going to the entry point, we can see that its code has been completely obfuscated. https://kienmanowar.wordpress.com/2024/09/12/quicknote-the-xworm-malware-is-being-spread-through-a-phishing-email/ Page 2 of 5 The code was heavily obfuscated, making it nearly impossible to read. Trying our luck with the NETReactorSlayer tool, the result obtained was much more promising: A thorough analysis of the malware code revealed that all associated strings were encrypted: The function responsible for decoding the string pjuwlH0Onm5es3BMfhR1hfmv is implemented as follows: https://kienmanowar.wordpress.com/2024/09/12/quicknote-the-xworm-malware-is-being-spread-through-a-phishing-email/ Page 3 of 5 Dissecting the function, we observe that the malicious code carries out the following operations: Calculate the MD5 hash of the string “ 5b6qhQLrSgjM8zFs ” put it into the variable array2 : Utilize the data in array2 to create a new array that will serve as the AES key with the value “ 23DB8E591319155C9A1EFBEA84A17123DB8E591319155C9A1EFBEA84A1717600 ” First, decode the string using Base64. Then, decrypt the result using AES in ECB mode with the previously acquired AES key Following the steps outlined above, the data was simulated using CyberChef as shown below: The malware config is as follows: Host cyberdon1[.]duckdns[.]org https://kienmanowar.wordpress.com/2024/09/12/quicknote-the-xworm-malware-is-being-spread-through-a-phishing-email/ Page 4 of 5 Port 1500 Splitter  Sleep time multiplier 3 Mutex 5b6qhQLrSgjM8zFs USB drop file  system32.exe Telegram token 7483891888:AAGbwyeJ_9j8PbOJI1cOfRW_cbll04oDXhA Telegram chat id  1344104260 The XWorm version under analysis in this note is 5.6 . Done! m4n0w4r Source: https://kienmanowar.wordpress.com/2024/09/12/quicknote-the-xworm-malware-is-being-spread-through-a-phishing-email/ https://kienmanowar.wordpress.com/2024/09/12/quicknote-the-xworm-malware-is-being-spread-through-a-phishing-email/ Page 5 of 5