This analysis details a sophisticated multi-stage attack delivering the XWorm RAT. The campaign begins with a phishing email containing a malicious .xlam file. The file harbors embedded shellcode that, when executed, retrieves a secondary payload. This payload is a .NET binary that reflectively loads a DLL into memory. The DLL, heavily obfuscated and encrypted, injects another DLL using reflective injection. The final stage involves process injection into the main executable, establishing persistence and exfiltrating data to Command & Control servers associated with the XWorm family. The attack chain demonstrates advanced evasion techniques, including the use of shellcode, steganography, and multiple stages of reflective DLL injection. Author: AlienVault
Related Tags:
multi-stage attack
T1573.002
Obfuscation
shellcode
T1059.001
steganography
.NET
XWorm
T1573
Associated Indicators:
EC8AC36D43B18781BA991D3F96243671FD19EE0D
D97ED60DE226AF9876769AC2E94185CF1B25D676
04B93BEF69CCAD7BF8AC4E5C4EE87191AB750CCA
78A6E7FF6A7F584481D99919458B990A6945FA0C
0E2E77ED3A826F1926DE588A9827479FE0D8C494
filesberlin101.com
berlin101.com
alpinreisan1.com
http://alpinreisan1.com/HGR.exe