XWorm Malware Returns with Ransomware Payload, Expanding Plugin Arsenal
A modular malware strain known as xworm has resurfaced with a new ransomware component and a sprawling collection of over 35 plugins, enabling extensive data theft and remote access capabilities, security researchers at Trellix have discovered.
First observed in 2021, XWorm initially functioned as an information stealer and remote access trojan. The latest iteration demonstrates a significant escalation in threat level with the addition of a ransomware module sharing encryption algorithms with the NoCry ransomware family. Both XWorm’s ransomware and NoCry utilize AES encryption with CBC mode in 4096-byte blocks and employ the same method for generating initialization vectors (IVs) and encryption keys.
Trellix’s analysis revealed the malware shares evasion tactics with NoCry, running the same verification checks to detect analysis environments. Beyond the ransomware, XWorm boasts a library of 14 plugins, each designed for a specific malicious function. These include:
* RemoteDesktop.dll: Enables remote control of infected machines.
* WindowsUpdate.dll,Stealer.dll, Recovery.dll, merged.dll, Chromium.dll, and SystemCheck.Merged.dll: Focused on stealing victim data.
* FileManager.dll: Grants operators filesystem access and manipulation.
* Shell.dll: Executes system commands via a hidden cmd.exe process.
* Informations.dll: Collects system information.
* Webcam.dll: Records victims and verifies machine authenticity for operators.
* TCPConnections.dll,ActiveWindows.dll, and StartupManager.dll: Transmits lists of active TCP connections, open windows, and startup programs to the command and control (C2) server.
The data theft modules alone are capable of harvesting login credentials from more than 35 web browsers, email clients, messaging applications, FTP clients, and cryptocurrency wallets.
Trellix recommends a multi-layered security approach to defend against XWorm, including endpoint detection and response (EDR) solutions to identify malicious module behavior, proactive email and web protections to block initial infection vectors, and network monitoring to detect communication with the C2 server.
