Trojan:VBS/XWorm.LFL!MTB

The Trojan:VBS/XWorm.LFL!MTB launches a multi-stage attack that begins with a malicious VBScript file, often distributed as a Windows Script File (.WSF). This initial script functions as a downloader, responsible for retrieving the next stage of the infection. In a documented campaign, the script connected to the domain anhemvn4[.]com to download an archive named 5btc.zip. Once on the system, the script extracts the contents of this archive into a newly created directory, such as C:\xmetavip\. This directory serves as a staging ground for the malware components, which can include a batch file named backup.bat and a renamed version of the legitimate pythonw.exe file, disguised as pw.exe. 

To ensure it remains active after a system reboot, the malware establishes persistence through multiple Windows mechanisms. A primary method is the creation of a Scheduled Task, given a decoy name like MicroSoftVisualsUpdater, which is configured to execute the malicious script at regular intervals. Additionally, the malware modifies the Windows Registry by adding a new value to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key.  

The data for this key is set to launch the backup.bat file, ensuring the infection chain is restarted every time the user logs into the system. Before deploying its final payload, the script performs critical actions to disable system defenses. It achieves this by patching key functions in memory. Specifically, it targets the AmsiScanBuffer function within amsi.dll to disable the Antimalware Scan Interface (AMSI) and the EtwEventWrite function to suppress Windows Event Tracing (ETW). This evasive action helps the malware avoid detection by security software. 

The final stage involves process injections to conceal the malware activities. The core XWorm RAT payload, sometimes named XClient3.exe, remains benign on disk. Instead, it is injected into the memory space of a legitimate and trusted Windows process, such as RegSvcs.exe. In other cases, the disguised pw.exe binary is used to run obfuscated code within the context of a common process like chrome.exe on a hidden desktop, making it difficult for users to spot the malicious activity. 

XWorm beacons to a Command and Control (C2) server to receive instructions from the threat actor. The connection details are hardcoded into the XWorm’s configuration, which is often encrypted with AES and encoded in Base64. Specific indicators from analysis show communication with the IP address 94[.]159.113[.]64 on port 4411. Earlier variants have been observed connecting to domains like ziadonfire[.]work[.]gd (which resolves to 89[.]116.164[.]56) on port 7000. 

Xworm drops the following files:  

• 5btc.zip 
• backup.bat  
• pw.exe 
• XClient3.exe 

Modifies the following registry entries: 

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 

Xworm connects to the following URLs: 

• anhemvn4[.]com  
• ziadonfire[.]work[.]gd  

It also interacts to the following hosts: 

• 94[.]159.113[.]64 on port 4411 
• 89[.]116.164[.]56) on port 7000