Wednesday, March 26, 2025

XWorm Unmasked: Weaponizing Script Obfuscation and Modern Evasion Techniques

 


Summary

 

The XWorm malware family is known for leveraging VBScript (VBS), Batch (BAT), and PowerShell (PS1) scripts to implement advanced obfuscation and evasion techniques, which are highly modular and weaponizing, and it is also a sophisticated RAT.

 

 

Technique analysis

 

Sample md5 a2907290e94d10d566afaad71f0a77d2

Sha256

ecb6c26329c5aa711c857bb37431b6d5037b0d28818af4c033c78231d007bb40

 

combining Script-based obfuscation (VBS/BAT/PS1) and multi-stages

This malware sample uses VBScript to create a batch file, WordDoc.bat. The file WordDoc.bat runs and injects and executes injection code, which is the PowerShell script, and finally uses the PS1 to load a malicious embedded payload and connects to the attacker’s Command & Control (C2) server. The way belongs to multi-stages to load the payload of attacking.

Fig.1 Combining VBS+BAT+PS1 and multi-stages

 

In VBScript, the %randomCharacters% like %uejji% is not a built-in feature—it’s a placeholder for a variable name. Typically, the attackers split malicious code into parts and reassemble them dynamically to avoid static detection. And the injection code to disable AMSI scanning and malicious payload connecting to the Command & Control (C2) server will write to the batch file.

Fig.2 embedded injection code and XClient

 

In Batch, the %randomCharacters% like %ltc% are used by the malicious code; they can be seen everywhere, and intentionally disrupting the order of variables and finally reordering PowerShell script to avoid static detection. And “setlocal enabledelayedexpansion” a legitimate feature for handling variables dynamically, but attackers abuse it for obfuscation to do delayed expansion, along with detection and mitigation strategies. Split malicious commands into parts and reassemble them at runtime using !var! delayed expansion. Finally, we can see the PowerShell strings are long strings encoded by base64 to avoid static detection.

Fig.3 using !var! delayed expansion

 

In PowerShell, the first thing to do is to read the injection string from the batch file and to decode it with base64 and then to execute the injection code. It uses byte arrays instead of strings to evade signature-based detection; here, it uses amsi.dll to disable AMSI scanning, allowing malware to execute undetected. It is ready for the next step to continue to execute another malicious code.

Fig.4 disable AMSI scanning

 

And the below PowerShell script is performing advanced memory manipulation to disable Windows Event Logging by patching the EventWrite function in ntdll.dll. allowing malicious activity to go unlogged; it doesn’t seem common.

Fig.5 disable windows event logging

 

And the second thing is to read the embedded malicious code from the batch file and to decode it, combining both Base64 and AES algorithms, and finally decompressing it and then executing it in memory. It is worth saying that it loads and executes a malicious .NET assembly in memory with System.Reflection.Assembly and Reverses the string "daoL" → "Load" (used to evade detection), finally connecting back to the attacker’s Command & Control (C2) server. The combining algorithm and compression are to avoid static detection, and it avoids file drops (fileless). All the above things are for evasion techniques.

Fig.6 base64, AES and compression to evasion detection

 

And the embedded malicious code mentioned above is the XClient v1.0.0.8 of the XWorm v5.6, with some related strings and the attacker’s IP address found in memory, and some other variable names were obfuscated.

Fig.7 XWorm and xclient


 Decompress file

to decompress the above-embedded malicious code, finding interesting strings to output the console: “Encerrado processo não elevado com PID, Erro ao tentar encerrar instâncias do BAT,” it seems that the language is Portuguese, specifically Brazilian Portuguese, based on the phrasing.

Fig.8 loader

 

Raw assembly file

To continue to track back to the raw assembly and dump to disk, the code without any obfuscation technique. And finally, it is sure XClient v.1.0.0.0 and XWorm 5.6. And after the deobfuscation technique, we have both files, which were uploaded to the bazaar.

Fig.9 XClient


Conclusion

From the above malware analysis, the attacker or threat actor combines script-based obfuscation (VBS/BAT/PS1) and multi-stages, which makes the process of attacking become more sophisticated, especially the key place uses the way of multi-algorithm like base64, AES, and compression to run in memory with fileless evasion detection. It indicates that the attack way that multi-stages and multi-algorithms in modern become more sophisticated and challenging. Let’s pay more attention to.

 

Diamond Model





MITRE ATT&CK TTP Mapping



IOCs

Files:

Sample md5 a2907290e94d10d566afaad71f0a77d2

Sample Sha256

ecb6c26329c5aa711c857bb37431b6d5037b0d28818af4c033c78231d007bb40

 

dwm.bat md5 da09177d362d929941b12939635446c3

dwm.bat sha256

c2b502c8dfa3d6ae57b9414fb537b63aea0de2f0f974225dd8280b2bfe8a8353


Decompress file:

Timestamp: 67D88CB4 (3/18/2025 4:57:24 AM)

Loader md5 ccc598563c870f9f47b8e367a025073a

Loader sha256
67a85b53d785054676f0db7f79fea437f7a87e1eeb4938c6efed2fc55a061359

 

Raw assembly file: Version XClient v1.0.0.0 XWorm V5.6

Timestamp: 67C14151 (2/28/2025 12:53:37 PM)
Raw assembly md5 6c0cdb74b4d168c964752ab7d363a99d
Raw assembly sha256
9fe006744c553edce0a1a28784b3598d41c53968502ba8c6454757e7eec83e40

 

Network:

Ip45[.]138[.]16[.]211

Port: 7000

 

Files created:

C:\Users\<USER>\AppData\Local\Temp\WordDoc.bat

C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_<randomstrings>.cmd

 

Files copied

C:\Users\<USER>\dwm.bat

 

Persistence

C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_<randomstrings>.cmd

 

AES Algorithm in PS1:

Key: ozKAhHJS1dkh9XIxZ26zJxxrSxu58yYL8PIPHb6z5Gm (base64)

IV: qv7HfqoORsuVik33JVQxrg== base64

 

AES Algorithm in .Net loader:

Key: 8Bf7IumQkEqU854KLww9ILtzdkXFS4Anqt9sJFuAEoM= (base64)

IV: ypwf7u0VGAyrtOpzuHeBsA== base64

 

Key strings in Memory:
XWorm V5.6

XClient.exe

End.



Labels: , , , , , ,

Sunday, March 23, 2025

The New Face of PowerShell: Ransomware Powered by PowerShell-Based Attacks

 


Summary

 

The PowerShell for writing malicious code is a normal way, and in the past, usually PowerShell itself was played as a supporting role, like executing cmdlets or loaders, but the trend is now to be changed. To make a ransomware, totally with pure PowerShell, is never seen before, and recently many samples were discovered, which attracted me to learn from what happened.

 

Technique analysis

 

The PowerShell ransomware samples have the same abilities, such as deleting shadows, stopping interfering processes, disabling the defender, spreading to the network, and adding registry persistence, and so on; the whole thing is done by the only PowerShell.

 

Third party software encryption scheme

One of the PowerShell ransomware is to utilize third-party encrypt free software called VeraCrypt to help encrypt the data of the drive; it will download from the remote address https[:]//Launchpad[.]net/veracrypt/trunk/1.25.9/+download/VeraCrypt_Setup_x64_1.25.9[.]msi and install VeraCrypt when the PowerShell is executed.

The sample MD5 hash: 982433cb4f485fb6f3cd9fb32cce3bb2

Fig.1 Third party VeraCrypt scheme by PowerShell


The samples MD5 hashes:

f3b663ef29fd2f8b41cdcf17b4a4300d

ffef1e40446902adc8071354fd39c1c6

Fig.2 Third party VeraCrypt scheme by PowerShell

 

RSA and AES encryption scheme

One of the PowerShell ransomware's purposes is to encrypt the data of potential victims by combining both the RSA and AES algorithms, which is a common solution by other ransom groups. Here without talking about the detail of encryption, like how to save the AES key and IV and how to use the public key.

The samples MD5 hashes:

118bd1887d7a1f825826e3a00f06b98e

4e7fd80028d4d0b227d48da1843762ab

Fig.3 RSA+AES scheme by PowerShell

 

 

Conclusion

As you know, like another ransomware group, their source code was leaked, and then more threat actors will emerge. The PowerShell scripts will become more popular for writing more powerful malicious code. Obviously, it will be utilized more, and its previously subordinate role will also change as people see more cases. And on those samples without any obfuscation technique, it would be changing.

 

IOCs

Files:

982433cb4f485fb6f3cd9fb32cce3bb2

f3b663ef29fd2f8b41cdcf17b4a4300d

ffef1e40446902adc8071354fd39c1c6

118bd1887d7a1f825826e3a00f06b98e

4e7fd80028d4d0b227d48da1843762ab

 

End.


Ransom note graphic representations

Labels: , , , , ,

Thursday, March 20, 2025

The Art of Evasion: How Attackers Use VBScript and PowerShell in the Obfuscation Game

 


Summary

 

As we know, using obfuscated VBScript to execute obfuscated PowerShell is a common technique in malware to evade detection and complicate analysis. This approach leverages the strengths of both scripting languages while making it harder for security tools and analysts to understand the malicious intent.

 

Recently I came across a malware that is very well-designed for these obfuscation techniques to use, which is so interesting and attracted my curiosity to learn more about what’s happened inside the malware, and it was also low detection rate until first discovered.

 

Below, I would like to share how the attackers use VBScript and PowerShell to evade detection, maybe it can help other malware researchers or analysts, and the common technique but new doing uncommon which being talked on both VBScript obfuscation and PowerShell obfuscation.

 

 

Technical analysis

 

Basic info

The sample hashs:

md5 0e513e80fc18e3db4f0eb6ecb558534b

Sha256
7444d08579781b3d7b233e9fd3e7f9b31a85837c29adf2f4ae7965a628078639

 

 

VBScript obfuscation and evasion technique

In order to execute the VBScript, the attacker uses a mix of obfuscation that combines irrelevant comments, time-based delay, string splitting and concatenation, and dynamic behavior. It is very thoughtful. In addition, the structure of the VBScript code seems to intentionally disrupt logical order to interfere with analysts.

 

 

Adding Irrelevant Comments

The first sight is that the malware was inserted by a large number of difficult-to-understand comments or annotations, which seem like the stream of consciousness in monologues or novels or random text; its aim is to have a mind to interfere with or confuse or mislead information with analysts and antivirus.

Fig.1 a large number of understandable annotations for interfering

 

Ok, in order to do an analysis for this kind of malware, it is a time-consuming thing to remove all the annotations manually. The first thought is to use regular expression; a text editor like Sublime can help us to handle them. To replace all the single-line comment content with regular expressions is '.*$, but it should be done carefully because the obfuscation PowerShell will be replaced and should be checked later one by one.

Fig.2 regular expressions

 

 

Time-Based Obfuscation

Using time delays or conditions to execute parts of the script only after a certain time. Malware often uses time delays to evade sandbox detection and avoid immediate detection. Here, the VBScript code snippet appears to be a time-delay loop, starting a loop that continues until the current time Now() exceeds Suspensorium (i.e., for 9 seconds), and then it will loop 50 times and pause the script for 100 milliseconds (0.1 seconds) during each iteration of the loop, and the real PowerShell scripts will be executed when it Suspensorium exceeds 50.

Fig.3 VBScript Time delay to execute PowerShell

 

Combining obfuscation technique

The below VBScript code snippet demonstrates a malware evasion technique that combines time-based delaysstring obfuscation, and dynamic behavior.

1.       String Obfuscation: pronegotiation= array(79+1,79,87,69,82,83,72,69,76,76), The array contains ASCII codes for the characters in the string "POWERSHELL"

2.       Time-Based Evasion: Checks if the current time (Now()) is less than the value of Suspensorium

3.       Dynamic Behavior: The script behaves differently depending on the current time

Fig.4 combining obfuscation technique

 

String splitting and Concatenation

 using ChrW(34) to concatenate strings that include double quotes, and using Chr(99) instead of the literal character 'c' makes the script harder to read and analyze; the command executes splitting to “Exe + chr(99) + “ute.”

Fig.5 VBScript String splitting and Concatenation

 

 

 

PowerShell obfuscation and evasion technique

In order to execute the PowerShell in VBScript, the attacker uses a user-defined algorithm and heavily obfuscates strings. It is different from other APT groups that use mature algorithms for obfuscation of strings; the attacker is very professional.

 

String splitting and Concatenation

The PowerShell code, the string splitting by well design in VBScript, and using the variable Hennafarvedes and character “&” for concatenation. And the variable in VBScript becomes a bridge in PowerShell scripts.

Fig.6 PowerShell String splitting and Concatenation

 

 

Specific Algorithm for Deobfuscated Script

The real intents in the well design strings, it extracts the characters by a specific algorithm with hardcode value It iterates over the array, starting at index 4 and incrementing by 5 each time. The function returns the concatenated string.

Fig.7 specific algorithm for deobfuscated script

 

 

String obfuscation with inserting invalid characters

The below strings obfuscation technique is also very special; the valid characters are only used as a small part of them and used by a user-defined algorithm to extract them, but the unused strings are like random characters to insert and confuse analysts, like pouring a pile of garbage into a real PowerShell to conceal the attacker's intentions. From the above specific algorithm and hardcoded value, we can get a glimpse of being proficient in the use of obfuscation techniques by the attackers.

Fig.8 strings obfuscation


The real intent
From the above analysis, do further research analysis; the PowerShell script can download the payload from the remote URL address hxxps[:]//aghayezayeat.ir/kids/tyrosines.lzh and finally execute the payload. Here it is not special, and the URL can’t be accessed until now.

Fig.9 PowerShell snippet

 

 

Conclusion

From the above process of analysis, it shows that the attacker is very professional on combining different type of obfuscation techniques to do evasion and being proficient in programming, the malware sample tells cybersecurity community, the attacker always look for breakthroughs in defense and are very proactive, a more hidden threat around the digital world; let’s pay close attention.

 

 

IOCs

Files:

SKMBT20783_ZM.vbs md5 0e513e80fc18e3db4f0eb6ecb558534b

Sha256
7444d08579781b3d7b233e9fd3e7f9b31a85837c29adf2f4ae7965a628078639

 

Network:

hxxps[:]//aghayezayeat[.]ir/kids/Tyrosines.lzh

hxxps://aghayezayeat[.]ir/529/eiRBgmsetYWnjJJIug45[.]bin ( from vmray Platform)

185[.]159.153.133

 

Host:

C:\Users\kEecfMwgj\AppData\Roaming\Hikes.Ove

End.

Labels: , , , , ,

Friday, March 14, 2025

The Art of Deception: A Deep Dive into Advanced Trojan-Dropper Obfuscation and Their True Intentions



Summary

 

First thanks for Szabolcs Schmidt was calling global malware analysts to analysis the samples on X, I’m really appreciate his work and he is helping to make cybersecurity more safer and stronger.

In this report, I do plan to dive deep into more details of the advanced Trojan dropper; it looks like obfuscation mechanisms, but until now, their true intentions have been unknown.

The Trojan dropper is very intriguing and different from other APT groups. If you are keen to learn from the latest and related report, please click here.

 

Technical analysis

 

Basic info

The sample hashs:

md5 A699AFD908E0DEC5C96FF7188450B89F

Sha256
f18631344d6f7fc57fd248edce37baeb11976e315b72b68d48311c406ace3f8c

 

Operation system: Operation system: Windows(95)[I386, 32-bit, GUI]

(Heur)Packer: Packer detected[High entropy + Section 1 (".data") compressed]

 

 

Advanced string obfuscation Mechanisms?

The strings in the malware Trojan dropper were obfuscated, so it is a big challenge for only static analysis. It is also not to encode those strings with simple base64 or XOR; It appears that it is a good and User defined advanced string obfuscation techniques. Until now it is not clear, let’s do it.

Fig.1 User defined advanced strings obfuscation techniques

 

Three categories for obfuscation mechanisms

The above string looks like obfuscation mechanisms can be classified into three categories: the hardcoded prefix with %s, the hardcoded suffix with %s, and the hardcoded without %s.

The hardcoded prefix with %s

Let’s take the string “%s lbMG4xVIjgrp99jCpcEHRP2Dk4tuy” as an example: it allocates a memory block of size a4 + 1 and If the memory allocation is successful (v5 is not NULL), the first byte of the allocated memory is set to the value of aSLbmg4xvijgrp9[0].

Fig. 2 the hardcode prefix

 

 

The hardcoded suffix with %s

Let’s take the string “iKutjR2ydZ1tUZPHflBndXLYdaNF%s” as an example: it allocates a memory block of size a1 + 48239 and Whether the length of the string "iKutjR2ydZ1tUZPHflBndXLYdaNF%s" is odd and Regardless of the conditional check, the function always returns the pointer v2.

Fig. 3 the hardcode suffix

 

 

The hardcoded without %s

Let’s take the string “WaioFh2jmJmyIwAM” and the sub_407FE3 as an example:

1.      The strings are related to the sub_407F3E includes The hardcoded suffix with the argument 323, allocates memory, and immediately frees it;

2.      Attempts to allocate memory of size a5 + 1

3.      If the allocation fails, retries up to 2060(0x80C) times, sleeping for 72(0x48u) milliseconds between each retry.

4.      If all retries fail, terminates the program using exit(0).

5.      Returns the pointer to the allocated memory.

Fig. 4 without %s

 

The below is another example, and it seems more complicated, but the design is similar when it allocates memory and immediately frees it, sleeping in different times and exiting.

Fig. 5 without %s

 

 

 

What’s the purpose?

What purpose do those three categories serve as obfuscation techniques? Let’s move forward to the type of the hardcoded without %s, which is a little bit different to find when it allocates memory, and v23 points to the 31st byte (offset 31) of the allocated memory block, which points to a new offset within the allocated memory block and then frees it. And the variable v23 is not used for any purpose. It really attracts malware analysts to pay close attention to it; the similar designs are spread in the middle of the code.

Fig. 6 unclear purpose 1

 

Let’s continue to see more examples. The function sub_424BCE allocates memory and performs a specific initialization on the allocated memory and checks if the first byte is equal to the ASCII49 value for the character '1'). If true, it isv29 incremented by 1. and finally freed. And the variable v29 is not used for any purpose.

Fig. 7 unclear purpose

 

 

 

Seems to be finding new things

Until now, the purpose of those things is unclear; curiosity drives me to learn more. I am careful to observe the code and find the function ub_407FE3 is used five times (here just showing the snippet), so I am very excited to know what the motivation is for this.

Fig. 8 ub_407FE3 is used for five times

 

Let’s move to the first sub_407FE3 and step into the sub_407F3E, and the function allocates 48,562 bytes of memory using the allocated malloc and The expression strlen("iKutjR2ydZ1tUZPHflBndXLYdaNF%s") & 1 checks if the length is odd and always returns v2, which is the memory pointer; the string “iKutjR2ydZ1tUZPHflBndXLYdaNF%s” is used for a condition to calculation.

Fig. 9 sub_407F3E

 

And then the parameter v56 passed to the next function sub_4149AA(2054, 247, 3125, 722, v56, 1464); and finally create the temp directory "C:\\Users\\xxx\\AppData\\Local\\Temp\\" to the allocated memory. So here we know that the string “iKutjR2ydZ1tUZPHflBndXLYdaNF%s” looks like an obfuscation technique, but in fact it can’t be deobfuscated, and the design is to intentionally mislead analysts who consider it some kind of obfuscation technique.

Fig.10 Trojan dropper get the temp directory

 

To continue moving forward and diving deeper into the function sub_410E9D(4552, 0, v55, 9993, 0, 1766, v51, v56, v54) and their parameter, the variable v55 from the function v55 = (void *)sub_407FE3(6897, 41, 862, 0, 2046); the value 003B2AE0 is a pointer address that now seems without any valuable data.

Fig. 11 without any valuable data

 

Moving forward to the function sub_421C4C and diving deeper into details and understanding that it will generate random strings as a part of the Trojan dropper file name (e.g, TujxgfVN) that are based on the specific strings “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789”, but the whole process does not use any obfuscation string. It is really unbelievable that it seems to do mathematical calculations but is actually loading DLLs; it implies that the threat actor has high skills for hidden purposes;.

Fig. 12 the code for generating a random string


Fig. 13 return a random string TujxgfVN

 

The variable v55 is used for many functions as a parameter passed, but let’s focus on the next function, sub_410E9D, to see what’s happened.

Fig. 14 v55 is used many times

 

When sub_410E9D finished and the address of memory 003B2AE0 and its values changed to the strings “C:\\Users\\xxx\\AppData\\Local\\Temp\\Verify-TujxgfVN.exe,” it is about to be executed as a new name Trojan dropper in the new directory. Yeah, that’s it! The value of address in memory will pass to the next function as a parameter.

Fig.15 create a new Trojan dropper in temp directory

 

When the Trojan dropper Verify-TujxgfVN.exe is created, it will be triggered and executed by the runas a powerful command-line tool that allows you to run programs or commands as a different user, typically with elevated privileges (e.g., as an administrator).

Fig.16 to run the Trojan dropper Verify-TujxgfVN.exe

 

Conclusion

From the above process of analysis, those strings are embedded in Trojan dropper is not obfuscation techniques but well-designed related to memory allocated and the information that Trojan dropper will handle with, they don’t need to do a deobfuscation trying or decoding with them, those strings themselves without any practical significance, such as prompt information, API or system commands, the design is very different from other APT group, it seems that the threat actors are good at math and the Memory data technology processing, and with high programming skill and understanding how to anti-analysis and protect the malware itself, on the process of debugging, and finding the command-line instruction “cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q \"%s\"” that combines several actions to remove itself and anti-debugger. After all, this is a novel design and a new try for hiding their true intentions. Very special!

 

End.

Labels: , , , ,