XWorm Unmasked: Weaponizing Script Obfuscation and Modern Evasion Techniques

 

Summary

 

The XWorm malware family is known for leveraging VBScript (VBS), Batch (BAT), and PowerShell (PS1) scripts to implement advanced obfuscation and evasion techniques, which are highly modular and weaponizing, and it is also a sophisticated RAT.

 

 

Technique analysis

 

Sample md5 a2907290e94d10d566afaad71f0a77d2

Sha256

ecb6c26329c5aa711c857bb37431b6d5037b0d28818af4c033c78231d007bb40

 

combining Script-based obfuscation (VBS/BAT/PS1) and multi-stages

This malware sample uses VBScript to create a batch file, WordDoc.bat. The file WordDoc.bat runs and injects and executes injection code, which is the PowerShell script, and finally uses the PS1 to load a malicious embedded payload and connects to the attacker’s Command & Control (C2) server. The way belongs to multi-stages to load the payload of attacking.

Fig.1 Combining VBS+BAT+PS1 and multi-stages

 

In VBScript, the %randomCharacters% like %uejji% is not a built-in feature—it’s a placeholder for a variable name. Typically, the attackers split malicious code into parts and reassemble them dynamically to avoid static detection. And the injection code to disable AMSI scanning and malicious payload connecting to the Command & Control (C2) server will write to the batch file.

Fig.2 embedded injection code and XClient

 

In Batch, the %randomCharacters% like %ltc% are used by the malicious code; they can be seen everywhere, and intentionally disrupting the order of variables and finally reordering PowerShell script to avoid static detection. And “setlocal enabledelayedexpansion” a legitimate feature for handling variables dynamically, but attackers abuse it for obfuscation to do delayed expansion, along with detection and mitigation strategies. Split malicious commands into parts and reassemble them at runtime using !var! delayed expansion. Finally, we can see the PowerShell strings are long strings encoded by base64 to avoid static detection.

Fig.3 using !var! delayed expansion

 

In PowerShell, the first thing to do is to read the injection string from the batch file and to decode it with base64 and then to execute the injection code. It uses byte arrays instead of strings to evade signature-based detection; here, it uses amsi.dll to disable AMSI scanning, allowing malware to execute undetected. It is ready for the next step to continue to execute another malicious code.

Fig.4 disable AMSI scanning

 

And the below PowerShell script is performing advanced memory manipulation to disable Windows Event Logging by patching the EventWrite function in ntdll.dll. allowing malicious activity to go unlogged; it doesn’t seem common.

Fig.5 disable windows event logging

 

And the second thing is to read the embedded malicious code from the batch file and to decode it, combining both Base64 and AES algorithms, and finally decompressing it and then executing it in memory. It is worth saying that it loads and executes a malicious .NET assembly in memory with System.Reflection.Assembly and Reverses the string "daoL" → "Load" (used to evade detection), finally connecting back to the attacker’s Command & Control (C2) server. The combining algorithm and compression are to avoid static detection, and it avoids file drops (fileless). All the above things are for evasion techniques.

Fig.6 base64, AES and compression to evasion detection

 

And the embedded malicious code mentioned above is the XClient v1.0.0.8 of the XWorm v5.6, with some related strings and the attacker’s IP address found in memory, and some other variable names were obfuscated.

Fig.7 XWorm and xclient

 Decompress file

to decompress the above-embedded malicious code, finding interesting strings to output the console: “Encerrado processo não elevado com PID, Erro ao tentar encerrar instâncias do BAT,” it seems that the language is Portuguese, specifically Brazilian Portuguese, based on the phrasing.

Fig.8 loader

 

Raw assembly file

To continue to track back to the raw assembly and dump to disk, the code without any obfuscation technique. And finally, it is sure XClient v.1.0.0.0 and XWorm 5.6. And after the deobfuscation technique, we have both files, which were uploaded to the bazaar.

Fig.9 XClient

Conclusion

From the above malware analysis, the attacker or threat actor combines script-based obfuscation (VBS/BAT/PS1) and multi-stages, which makes the process of attacking become more sophisticated, especially the key place uses the way of multi-algorithm like base64, AES, and compression to run in memory with fileless evasion detection. It indicates that the attack way that multi-stages and multi-algorithms in modern become more sophisticated and challenging. Let’s pay more attention to.

 

Diamond Model

MITRE ATT&CK TTP Mapping

IOCs

Files:

Sample md5 a2907290e94d10d566afaad71f0a77d2

Sample Sha256

ecb6c26329c5aa711c857bb37431b6d5037b0d28818af4c033c78231d007bb40

 

dwm.bat md5 da09177d362d929941b12939635446c3

dwm.bat sha256

c2b502c8dfa3d6ae57b9414fb537b63aea0de2f0f974225dd8280b2bfe8a8353

Decompress file:

Timestamp: 67D88CB4 (3/18/2025 4:57:24 AM)

Loader md5 ccc598563c870f9f47b8e367a025073a

Loader sha256
67a85b53d785054676f0db7f79fea437f7a87e1eeb4938c6efed2fc55a061359

 

Raw assembly file: Version XClient v1.0.0.0 XWorm V5.6

Timestamp: 67C14151 (2/28/2025 12:53:37 PM)
Raw assembly md5 6c0cdb74b4d168c964752ab7d363a99d
Raw assembly sha256
9fe006744c553edce0a1a28784b3598d41c53968502ba8c6454757e7eec83e40

 

Network:

Ip：45[.]138[.]16[.]211

Port: 7000

 

Files created:

C:\Users\<USER>\AppData\Local\Temp\WordDoc.bat

C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_<randomstrings>.cmd

 

Files copied

C:\Users\<USER>\dwm.bat

 

Persistence

C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_<randomstrings>.cmd

 

AES Algorithm in PS1:

Key: ozKAhHJS1dkh9XIxZ26zJxxrSxu58yYL8PIPHb6z5Gm (base64)

IV: qv7HfqoORsuVik33JVQxrg== （base64）

 

AES Algorithm in .Net loader:

Key: 8Bf7IumQkEqU854KLww9ILtzdkXFS4Anqt9sJFuAEoM= (base64)

IV: ypwf7u0VGAyrtOpzuHeBsA== （base64）

 

Key strings in Memory:
XWorm V5.6

XClient.exe

End.