Beware of Weaponized MSI Installer Masquerading as WhatsApp to Deliver XWorm RAT
https://gbhackers.com/beware-of-weaponized-msi-installer-masquerading-as-whatsapp/
#Infosec #Security #Cybersecurity #CeptBiro #WeaponizedMSIInstaller #Masquerading #WhatsApp #XWormRAT
🚨 Hackers target script kiddies with a Trojanized XWorm RAT builder, compromising 18,000+ devices! Sensitive data stolen via Telegram-based C&C.
Read: https://hackread.com/hackers-script-kiddes-xworm-rat-compromise-devices/
Recent #stegocampaign delivering #XWorm RAT #malware samples.
Quick review of #sandbox analysis reports reveal simple, yet interesting infection chain. It contains #VisualBasic script, #PowerShell scripts, picture with Base64-encoded executable and the #xwormrat itself. Those payloads have been downloaded from online hosting services such as #Pastebin and #Firebase.
My new article with #IOC and analysis https://malwarelab.eu/posts/stego-xworm/
#steganography #Steganoanalysis #anyrun #malwareanalysis #obfuscation #cyberchef
When I looked on recent public submissions on Any.Run this week, my attention was attracted by XWorm samples with tags “stegocampaign”. Quick review of analysis reports reveal simple, yet interesting infection chain. It contains Visual Basic script, PowerShell script, picture with Base64-encoded executable and the XWorm RAT itself. Those payloads have been downloaded from online hosting services such as Pastebin or Firebase. Moreover, they have been downloaded via HTTPs, so basic network analysis does not reveal the content nor the URL links, however, there are some simple methods how to reveal the real URLs.
Rene Robichaud
Hackread.com
MalwareLab
Marcel SIneM(S)US
Scripter 