– HTTP POST requests with distinctive User-Agent strings; connections to domains on legitimate CDN and file-hosting services; beaconing activity to C2 servers
First identified as a distinct Malware-as-a-Service (MaaS) offering in July 2022, XWorm was initially distributed via hacking forums and Telegram channels managed by threat groups like Xcoders and Evilcoder.
Updating to Xworm v31 is straightforward. Users can [insert steps on how to update, such as downloading the update from the official website, using an in-app update feature, etc.]. It's recommended that all users update to this latest version to take advantage of the improvements and to ensure their software is up-to-date and secure. xworm v31 updated
At xWorm, we prioritize security and responsible use. This update includes several security enhancements:
Once active, XWorm V3.1 establishes an outbound connection to the attacker's C2 server. The traffic is typically encrypted using customized AES or custom XOR algorithms to evade network intrusion detection systems (IDS). The malware then awaits instructions, such as downloading secondary payloads or initiating data exfiltration. Indicators of Compromise (IoCs) – HTTP POST requests with distinctive User-Agent strings;
Recent campaigns often involve phishing emails with malicious Excel attachments (exploiting CVE-2018-0802) that execute fileless .NET modules directly in memory to avoid detection. Stealth and Evasion:
Extracts credentials, session cookies, cryptocurrency wallets, and browser data [1]. It's recommended that all users update to this
Extracts saved passwords, cookies, autofill data, and credit card details from Chromium- and Firefox-based browsers.
The updated XWorm V3.1 introduces several enhancements designed to bypass modern Endpoint Detection and Response (EDR) systems while maximizing the monetization potential for attackers. 1. Advanced Information Stealing (Crypto and Credentials)
XWorm v3.1 employs a sophisticated, multi-stage infection chain designed to bypass conventional endpoint defenses and sandboxing solutions. Rather than relying on a single infection vector, XWorm cycles through a diverse array of loaders and stagers—including PowerShell, VBS, JavaScript, batch scripts, .NET executables, .hta, .lnk, .iso, .vhd, .img, and Office macros—to deliver its payload.
To help protect your specific environment against threats like XWorm, I can provide more targeted advice if you share a few details.