XWorm Unmasked: Weaponizing Script Obfuscation and Modern Evasion Techniques
Summary
The XWorm malware
family is known for leveraging VBScript (VBS), Batch (BAT), and
PowerShell (PS1) scripts to implement advanced obfuscation and
evasion techniques, which are highly modular and weaponizing, and it is also a
sophisticated RAT.
Technique analysis
Sample
md5 a2907290e94d10d566afaad71f0a77d2
Sha256
ecb6c26329c5aa711c857bb37431b6d5037b0d28818af4c033c78231d007bb40
combining
Script-based
obfuscation (VBS/BAT/PS1) and multi-stages
This malware sample uses VBScript to create a batch file, WordDoc.bat. The file WordDoc.bat runs and injects and executes injection code, which is the PowerShell script, and finally uses the PS1 to load a malicious embedded payload and connects to the attacker’s Command & Control (C2) server. The way belongs to multi-stages to load the payload of attacking.
Fig.1 Combining VBS+BAT+PS1
and multi-stages
In VBScript, the %randomCharacters% like %uejji% is not a built-in feature—it’s a placeholder for a variable name. Typically, the attackers split malicious code into parts and reassemble them dynamically to avoid static detection. And the injection code to disable AMSI scanning and malicious payload connecting to the Command & Control (C2) server will write to the batch file.
Fig.2 embedded injection
code and XClient
In Batch, the %randomCharacters% like %ltc% are used by the malicious code; they can be seen everywhere, and intentionally disrupting the order of variables and finally reordering PowerShell script to avoid static detection. And “setlocal enabledelayedexpansion” a legitimate feature for handling variables dynamically, but attackers abuse it for obfuscation to do delayed expansion, along with detection and mitigation strategies. Split malicious commands into parts and reassemble them at runtime using !var! delayed expansion. Finally, we can see the PowerShell strings are long strings encoded by base64 to avoid static detection.
Fig.3 using !var! delayed
expansion
In PowerShell, the first thing to do is to read the injection string from the batch file and to decode it with base64 and then to execute the injection code. It uses byte arrays instead of strings to evade signature-based detection; here, it uses amsi.dll to disable AMSI scanning, allowing malware to execute undetected. It is ready for the next step to continue to execute another malicious code.
Fig.4 disable AMSI
scanning
And the below PowerShell script is performing advanced memory manipulation to disable Windows Event Logging by patching the EventWrite function in ntdll.dll. allowing malicious activity to go unlogged; it doesn’t seem common.
Fig.5 disable windows
event logging
And the second thing is to read the embedded malicious code from the batch file and to decode it, combining both Base64 and AES algorithms, and finally decompressing it and then executing it in memory. It is worth saying that it loads and executes a malicious .NET assembly in memory with System.Reflection.Assembly and Reverses the string "daoL" → "Load" (used to evade detection), finally connecting back to the attacker’s Command & Control (C2) server. The combining algorithm and compression are to avoid static detection, and it avoids file drops (fileless). All the above things are for evasion techniques.
Fig.6 base64, AES and compression to evasion detection
And the embedded malicious code mentioned above is the XClient v1.0.0.8 of the XWorm v5.6, with some related strings and the attacker’s IP address found in memory, and some other variable names were obfuscated.
Fig.7 XWorm and xclient
to decompress the above-embedded malicious code, finding interesting strings to output the console: “Encerrado processo não elevado com PID, Erro ao tentar encerrar instâncias do BAT,” it seems that the language is Portuguese, specifically Brazilian Portuguese, based on the phrasing.
Fig.8 loader
Raw assembly file
To continue to track
back to the raw assembly and dump to disk, the code without any obfuscation
technique. And finally, it is sure XClient v.1.0.0.0 and XWorm 5.6.
Fig.9 XClient
Conclusion
From the above malware
analysis, the attacker or threat actor combines script-based obfuscation (VBS/BAT/PS1) and multi-stages,
which makes the process of attacking become more sophisticated, especially the
key place uses the way of multi-algorithm like base64, AES, and compression to
run in memory with fileless evasion detection. It indicates that the attack way
that multi-stages and multi-algorithms in modern become more sophisticated and
challenging. Let’s pay more attention to.
Diamond
Model
MITRE ATT&CK TTP Mapping
IOCs
Files:
Sample
md5 a2907290e94d10d566afaad71f0a77d2
Sample
Sha256
ecb6c26329c5aa711c857bb37431b6d5037b0d28818af4c033c78231d007bb40
dwm.bat
md5 da09177d362d929941b12939635446c3
dwm.bat
sha256
c2b502c8dfa3d6ae57b9414fb537b63aea0de2f0f974225dd8280b2bfe8a8353
Decompress
file:
Timestamp:
67D88CB4 (3/18/2025 4:57:24 AM)
Loader
md5 ccc598563c870f9f47b8e367a025073a
Loader
sha256
67a85b53d785054676f0db7f79fea437f7a87e1eeb4938c6efed2fc55a061359
Raw
assembly file: Version XClient v1.0.0.0 XWorm V5.6
Timestamp:
67C14151 (2/28/2025 12:53:37 PM)
Raw assembly md5 6c0cdb74b4d168c964752ab7d363a99d
Raw assembly sha256
9fe006744c553edce0a1a28784b3598d41c53968502ba8c6454757e7eec83e40
Network:
Ip:45[.]138[.]16[.]211
Port:
7000
Files created:
C:\Users\<USER>\AppData\Local\Temp\WordDoc.bat
C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\StartupScript_<randomstrings>.cmd
Files copied
C:\Users\<USER>\dwm.bat
Persistence
C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\StartupScript_<randomstrings>.cmd
AES Algorithm in PS1:
Key:
ozKAhHJS1dkh9XIxZ26zJxxrSxu58yYL8PIPHb6z5Gm (base64)
IV:
qv7HfqoORsuVik33JVQxrg== (base64)
AES Algorithm in .Net
loader:
Key:
8Bf7IumQkEqU854KLww9ILtzdkXFS4Anqt9sJFuAEoM= (base64)
IV:
ypwf7u0VGAyrtOpzuHeBsA== (base64)
Key strings in Memory:
XWorm V5.6
XClient.exe
End.
Labels: #APT, #BAT, #BVS, #MalwareAnalysis, #PS1, #ThreatIntel, #XWorm