A new version of XWorm malware (version 6.0) has been discovered, showcasing advanced features for persistence and evasion. The infection chain begins with a VBScript that downloads and executes a PowerShell script. This script implements an AMSI bypass by modifying CLR.DLL in memory, then downloads and loads the XWorm binary. The latest version includes the ability to run as a critical process, preventing termination without admin privileges. It also introduces new anti-analysis techniques, such as terminating on Windows XP and detecting execution in data centers or hosting providers. The malware maintains its in-memory execution and continues to employ various evasion techniques. Author: AlienVault
Related Tags:
amsi bypass
T1553.002
T1059.005
anti-analysis
T1078.001
evasion
T1547.001
T1059.001
persistence
Associated Indicators:
C4C533DDFCB014419CBD6293B94038EB5DE1854034B6B9C1A1345C4D97CDFABF
4648CE5E4CE4B7562A7828EB81F830D33AB0484392306BC9D3559A42439C8558
E73F48FE634A0C767BD596BBD068A13BE7465993633FD61CCDA717A474EE2DB2