cyble.com
Open in
urlscan Pro
192.0.78.152
Public Scan
URL:
https://cyble.com/blog/evilcoder-project-selling-multiple-dangerous-tools-online/
Submission: On September 11 via api from BY — Scanned from DE
Submission: On September 11 via api from BY — Scanned from DE
Form analysis 4 forms found in the DOM
POST https://wordpress.com/email-subscriptions
<form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="221651828" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog" data-hs-cf-bound="true" data-cb-wrapper="true">
<div class="wp-block-jetpack-subscriptions__form-elements">
<p id="subscribe-email">
<label id="subscribe-field-label" for="subscribe-field" class="screen-reader-text"> Type your email… </label>
<input required="required" type="email" name="email" class="no-border-radius has-ast-global-color-6-border-color" style="font-size: 16px;padding: 10px 15px 10px 15px;border-color: ast-global-color-6;border-radius: 0px;border-width: 1px;"
placeholder="Type your email…" value="" id="subscribe-field" title="Please fill in this field.">
</p>
<p id="subscribe-submit" style="width: ;max-width: 100%;">
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="221651828">
<input type="hidden" name="source" value="https://cyble.com/blog/evilcoder-project-selling-multiple-dangerous-tools-online/">
<input type="hidden" name="sub-type" value="subscribe-block">
<input type="hidden" name="app_source" value="">
<input type="hidden" name="redirect_fragment" value="subscribe-blog">
<input type="hidden" name="lang" value="en_US">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="65645d6f72"><input type="hidden" name="_wp_http_referer" value="/blog/evilcoder-project-selling-multiple-dangerous-tools-online/"><input type="hidden" name="post_id" value="12485">
<button type="submit" class="wp-block-button__link no-border-radius has-ast-global-color-6-border-color"
style="background: #cc0000;width: 100%;font-size: 16px;padding: 10px 15px 10px 15px;margin: 0; margin-left: 10px;border-color: ast-global-color-6;border-radius: 0px;border-width: 1px;" name="jetpack_subscriptions_widget"> Subscribe Now <span
class="jetpack-memberships-spinner"> <svg width="24" height="24" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path d="M12,1A11,11,0,1,0,23,12,11,11,0,0,0,12,1Zm0,19a8,8,0,1,1,8-8A8,8,0,0,1,12,20Z" opacity=".25" fill="currentColor"></path>
<path d="M10.14,1.16a11,11,0,0,0-9,8.92A1.59,1.59,0,0,0,2.46,12,1.52,1.52,0,0,0,4.11,10.7a8,8,0,0,1,6.66-6.61A1.42,1.42,0,0,0,12,2.69h0A1.57,1.57,0,0,0,10.14,1.16Z" class="jetpack-memberships-spinner-rotating" fill="currentColor"></path>
</svg></span></button>
</p>
</div>
</form>GET https://cyble.com/
<form class="search-form" action="https://cyble.com/" method="get" data-hs-cf-bound="true" data-cb-wrapper="true">
<fieldset>
<span class="text">
<label for="search-field" class="screen-reader-text">Begin Search...</label>
<input id="search-field" name="s" class="search-field" autocomplete="off" type="text" value="" placeholder="Begin Search..." tabindex="1">
</span>
<button aria-label="Search" id="search_submit" class="button search-submit" tabindex="2"><i class="astra-search-icon"> <span class="ast-icon icon-search"></span> </i></button>
</fieldset>
</form>POST https://wordpress.com/email-subscriptions
<form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="221651828" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog-2" data-hs-cf-bound="true" data-cb-wrapper="true">
<div class="wp-block-jetpack-subscriptions__form-elements">
<p id="subscribe-email">
<label id="subscribe-field-2-label" for="subscribe-field-2" class="screen-reader-text"> Type your email… </label>
<input required="required" type="email" name="email" style="font-size: 16px;padding: 15px 23px 15px 23px;border-radius: 50px;border-width: 1px;" placeholder="Type your email…" value="" id="subscribe-field-2" title="Please fill in this field.">
</p>
<p id="subscribe-submit">
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="221651828">
<input type="hidden" name="source" value="https://cyble.com/blog/evilcoder-project-selling-multiple-dangerous-tools-online/">
<input type="hidden" name="sub-type" value="subscribe-block">
<input type="hidden" name="app_source" value="atomic-subscription-modal-lo">
<input type="hidden" name="redirect_fragment" value="subscribe-blog-2">
<input type="hidden" name="lang" value="en_US">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="65645d6f72"><input type="hidden" name="_wp_http_referer" value="/blog/evilcoder-project-selling-multiple-dangerous-tools-online/"><input type="hidden" name="post_id" value="12485">
<button type="submit" class="wp-block-button__link" style="font-size: 16px;padding: 15px 23px 15px 23px;margin: 0; margin-left: 10px;border-radius: 50px;border-width: 1px;" name="jetpack_subscriptions_widget"> Subscribe <span
class="jetpack-memberships-spinner"> <svg width="24" height="24" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path d="M12,1A11,11,0,1,0,23,12,11,11,0,0,0,12,1Zm0,19a8,8,0,1,1,8-8A8,8,0,0,1,12,20Z" opacity=".25" fill="currentColor"></path>
<path d="M10.14,1.16a11,11,0,0,0-9,8.92A1.59,1.59,0,0,0,2.46,12,1.52,1.52,0,0,0,4.11,10.7a8,8,0,0,1,6.66-6.61A1.42,1.42,0,0,0,12,2.69h0A1.57,1.57,0,0,0,10.14,1.16Z" class="jetpack-memberships-spinner-rotating" fill="currentColor"></path>
</svg></span></button>
</p>
</div>
</form><form id="jp-carousel-comment-form" data-hs-cf-bound="true" data-cb-wrapper="true">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Cyble recognized in Forrester's Attack Surface Management Solutions Landscape
Report Q2.2024. Download Now
Skip to content
* CISA Adds Three Critical Vulnerabilities to Known Exploited Vulnerabilities
Catalog
Report an Incident
Talk to Sales
We are Hiring!
Login
Login
* ProductsMenu Toggle
* For Enterprises(B2B) and GovernmentsMenu Toggle
* AI-Driven Cybersecurity Platforms
* Cyble VisionFor Enterprises
Award-winning cyber threat intelligence platform, designed to provide
enhanced security through real-time intelligence and threat detection.
* Cyble HawkFor Federal Bodies
Protects sensitive information and assets from cyber threats with its
specialized threat detection and intelligence capabilities built for
federal bodies.
* For Enterprises(B2B) and Individuals(B2C)Menu Toggle
* AmIBreached
Enables consumers and organizations to Identify, Prioritize and Mitigate
darkweb risks.
* Odin by CybleNew
The most advanced internet-scanning tool in the industry for real-time
threat detection and cybersecurity
* The Cyber ExpressSubscribe
#1 Trending Cyber Security News and Magazine
* We’ve just released an update!
Cyble has an update that enhances ASM, CTI and more...
Menu Toggle
* Schedule a Demo
* SolutionsMenu Toggle
* Detect > Validate > CloseMenu Toggle
* AI-Driven SolutionsMenu Toggle
* Attack Surface ManagementNew Features
Ensure digital security by identifying and mitigating threats with
Cyble's Attack Surface Management
* Brand Intelligence
Comprehensive protection against online brand abuse, including brand
impersonation, phishing, and fraudulent domains.
* Cyber Threat Intelligence
Gain insights and enhance your defense with AI-driven analysis and
continuous threat monitoring
* Menu ItemMenu Toggle
* Dark Web Monitoring
Stay vigilant and ahead of cybercriminals with Cyble's comprehensive Dark
Web Monitoring.
* Vulnerability Management
Advanced scanning, risk evaluation, and efficient remediation strategies
to protect against cyber threats.
* Takedown and Disruption
Combat online fraud and cybercrime by removing fraudulent sites and
content, and disrupting malicious campaigns with #1 takedown services by
Cyble.
* Solutions by Industry
Menu Toggle
* Healthcare & Pharmaceuticals
* Financial Services
* Retail and CPG
* Technology Industry
* Educational Platform
* Solutions by Role
Menu Toggle
* Information Security
* Corporate Security
* Marketing
* Why Cyble?Menu Toggle
* Compare Cyble
Learn why Cyble is a key differentiator when it comes to proactive
cybersecurity.
Menu Toggle
* Industry RecognitionAwards
* Customer Stories
* ResourcesMenu Toggle
* Thought LeadershipMenu Toggle
* Blog
Discover the latest in cybersecurity with Cyble's blog, featuring a
wealth of articles, research findings, and insights. CRIL is an
invaluable resource for anyone interested in the evolving world of cyber
threats and defenses, offering expert analysis and updates.
* Threat Actor Profiles
* SAMA Compliance
* Events
Conferences, Webinars, Training sessions and more…
* Knowledge Hub
Cyble's Knowledge Hub is a central resource for current cybersecurity
trends, research, and expert opinions.
Menu Toggle
* Case Studies
Dive into Cyble's case studies to discover real-world applications of
their cybersecurity solutions. These studies provide valuable insights
into how Cyble addresses various cyber threats and enhances digital
security for different organizations.
* Research Reports
* Country Reports
* Industry Reports
* Ransomware Reports
* WhitepapersDownload
* Research ReportsLatest Report
Menu Toggle
* Free Tools
* Scan The Dark Web
* Scan The Internet
Menu Toggle
* External Threat Assessment ReportDownload Report
* CompanyMenu Toggle
* Our Story
Learn about Cyble's journey and mission in the cybersecurity landscape.
Menu Toggle
* Leadership Team
Meet our leadership team.
* CareersWe are hiring!
Explore a career with Cyble and contribute to cutting-edge cybersecurity
solutions. Check out Cyble's career opportunities.
* Press
* PartnersMenu Toggle
* Cyble Partner Network (CPN)Join Us
Join Cyble's Partner Network to collaborate and innovate in cybersecurity.
This platform offers unique opportunities for partnerships, fostering
growth and shared success in tackling cyber threats together.
Menu Toggle
* Partner Login
* Become a PartnerRegister
Elevate your cybersecurity business with the Cyble Partner Network:
Access cutting-edge tools, expert support, and growth opportunities.
Ideal for MSSPs, resellers, and alliances.
Book a Demo
Book a Demo
Main Menu
* ProductsMenu Toggle
* For Enterprises(B2B) and GovernmentsMenu Toggle
* AI-Driven Cybersecurity Platforms
* Cyble VisionFor Enterprises
Award-winning cyber threat intelligence platform, designed to provide
enhanced security through real-time intelligence and threat detection.
* Cyble HawkFor Federal Bodies
Protects sensitive information and assets from cyber threats with its
specialized threat detection and intelligence capabilities built for
federal bodies.
* For Enterprises(B2B) and Individuals(B2C)Menu Toggle
* AmIBreached
Enables consumers and organizations to Identify, Prioritize and Mitigate
darkweb risks.
* Odin by CybleNew
The most advanced internet-scanning tool in the industry for real-time
threat detection and cybersecurity
* The Cyber ExpressSubscribe
#1 Trending Cyber Security News and Magazine
* We’ve just released an update!
Cyble has an update that enhances ASM, CTI and more...
Menu Toggle
* Schedule a Demo
* SolutionsMenu Toggle
* Detect > Validate > CloseMenu Toggle
* AI-Driven SolutionsMenu Toggle
* Attack Surface ManagementNew Features
Ensure digital security by identifying and mitigating threats with
Cyble's Attack Surface Management
* Brand Intelligence
Comprehensive protection against online brand abuse, including brand
impersonation, phishing, and fraudulent domains.
* Cyber Threat Intelligence
Gain insights and enhance your defense with AI-driven analysis and
continuous threat monitoring
* Menu ItemMenu Toggle
* Dark Web Monitoring
Stay vigilant and ahead of cybercriminals with Cyble's comprehensive Dark
Web Monitoring.
* Vulnerability Management
Advanced scanning, risk evaluation, and efficient remediation strategies
to protect against cyber threats.
* Takedown and Disruption
Combat online fraud and cybercrime by removing fraudulent sites and
content, and disrupting malicious campaigns with #1 takedown services by
Cyble.
* Solutions by Industry
Menu Toggle
* Healthcare & Pharmaceuticals
* Financial Services
* Retail and CPG
* Technology Industry
* Educational Platform
* Solutions by Role
Menu Toggle
* Information Security
* Corporate Security
* Marketing
* Why Cyble?Menu Toggle
* Compare Cyble
Learn why Cyble is a key differentiator when it comes to proactive
cybersecurity.
Menu Toggle
* Industry RecognitionAwards
* Customer Stories
* ResourcesMenu Toggle
* Thought LeadershipMenu Toggle
* Blog
Discover the latest in cybersecurity with Cyble's blog, featuring a
wealth of articles, research findings, and insights. CRIL is an
invaluable resource for anyone interested in the evolving world of cyber
threats and defenses, offering expert analysis and updates.
* Threat Actor Profiles
* SAMA Compliance
* Events
Conferences, Webinars, Training sessions and more…
* Knowledge Hub
Cyble's Knowledge Hub is a central resource for current cybersecurity
trends, research, and expert opinions.
Menu Toggle
* Case Studies
Dive into Cyble's case studies to discover real-world applications of
their cybersecurity solutions. These studies provide valuable insights
into how Cyble addresses various cyber threats and enhances digital
security for different organizations.
* Research Reports
* Country Reports
* Industry Reports
* Ransomware Reports
* WhitepapersDownload
* Research ReportsLatest Report
Menu Toggle
* Free Tools
* Scan The Dark Web
* Scan The Internet
Menu Toggle
* External Threat Assessment ReportDownload Report
* CompanyMenu Toggle
* Our Story
Learn about Cyble's journey and mission in the cybersecurity landscape.
Menu Toggle
* Leadership Team
Meet our leadership team.
* CareersWe are hiring!
Explore a career with Cyble and contribute to cutting-edge cybersecurity
solutions. Check out Cyble's career opportunities.
* Press
* PartnersMenu Toggle
* Cyble Partner Network (CPN)Join Us
Join Cyble's Partner Network to collaborate and innovate in cybersecurity.
This platform offers unique opportunities for partnerships, fostering
growth and shared success in tackling cyber threats together.
Menu Toggle
* Partner Login
* Become a PartnerRegister
Elevate your cybersecurity business with the Cyble Partner Network:
Access cutting-edge tools, expert support, and growth opportunities.
Ideal for MSSPs, resellers, and alliances.
TRENDING
TARGETED INDUSTRIES -> IT & ITES | Government & LEA | Technology | Healthcare |
BFSITARGETED COUNTRIES -> United States | Russian Federation | China | United
Kingdom | GermanyTARGETED REGIONS -> North America (NA) | Europe & UK | Asia &
Pacific (APAC) | Middle East & Africa (MEA) | Australia and New Zealand
(ANZ)IOCs -> a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 |
7bdbd180c081fa63ca94f9c22c457376 |
c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 |
8c69830a50fb85d8a794fa46643493b2 |
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507CVEs ->
CVE-2024-21887 | CVE-2023-46805 | CVE-2017-11882 | CVE-2024-21893 |
CVE-2021-44228TECHNIQUES -> T1082 | T1140 | T1486 | T1083 | T1105TACTICS ->
TA505 | TA0011 | TA453 | TA0005 | TA0007TAGS -> security | the-cyber-express |
firewall-daily | the-cyber-express-news | malwareTHREAT ACTORS -> Lockbit |
Blackcat | Lazarus | Kimsuky | VoltTyphoonMALWARE -> CobaltStrike | Qakbot |
Icedid | Trickbot | XmrigSOURCES -> Darkreading | The Cyber Express |
Bleepingcomputer | The Hacker News | Infosecurity Magazine
Home » Blog » EvilCoder Project Selling Multiple Dangerous Tools Online
* Malware, Ransomware, Remote Access Trojan, Spyware
* August 19, 2022
EVILCODER PROJECT SELLING MULTIPLE DANGEROUS TOOLS ONLINE
Cyble Analyzes EvilCoder, a new project spotted selling multiple dangerous tools
online capable of Ransomware and HNVC attacks.
SOPHISTICATED XWORM RAT WITH RANSOMWARE AND HNVC ATTACK CAPABILITIES
During a routine threat-hunting exercise, Cyble research labs discovered a dark
web post where a malware developer was advertising a powerful Windows RAT.
Figure 1 – Dark Web Post for XWorm
This post redirected us to the website of the malware developer, where multiple
malicious tools are being sold. The below figure shows the malware developer’s
website.
Figure 2 – Post by The Malicious Program Developer
The developer is selling tools to create malware, hide existing malware, crypto
money grabber PowerShell scripts, etc.
We have mentioned all the tools posted by the malware developer and the possible
impact of these tools on victim systems. The following table shows these tools
and their corresponding functionalities.
ToolPriceDescriptionHidden Malware Builder v2.0/V4.0$45Hidden Malware Builder is
a .NET-based malware builder tool that requires .NET Framework 4. This tool
creates binary files with the following capabilities:
Hiding C&C server from other processes, start-up, scheduled tasks, and Hard
drive.
Run as Administrator permanently.
Merging with another file with the AES Algorithm.
Anti-analysis techniques included such as anti-VM, anti-debugger, anti-sandbox,
and anti-emulator.Crypto Money Grabber PowerShell Script$40The malware developer
sells PowerShell script to steal cryptocurrency from the victims’ system. Multi
Downloader Builder V2.0$30Download and execute multiple files from URL (FUD
100%) (Output: 7KB).Hidden CPLApplet Builder V2.0$80 The developer has created
a tool that can build malicious CPLApplet programs. The following features are
available in the builder:
Injection in explorer.exe.
Hidden schtasks.
WDExcluion.
Anti-Analysis.UAC Bypasser Builder V2.0$50 UAC Bypasser builder tool bypasses
the UAC check of the operating system for the given file. The features provided
by the malware developer are:
Support All Files.
RunAs-Loop.
Cmstp-Bypass.
WDExclusion.
Anti-Analysis.
TaskScheduler.XBinder V2.0$80XBinder tool is a Remote Access Trojan (RAT)
builder and management tool. The features, according to the developer, are:
Runonce.
Hidden.
SetWorkPath.
REG [Start-up].
WDExclusion.
Task [Start-up].
UAC [Normal-Bypass].
Delay [seconds].
Bot Killer.
Anti-Analysis.
Delete After Run.
Disable Super Hidden.
Pumper.
Icon Changer.
Spoofer.XWorm V2.2$150This version of the malware builder tool creates client
binaries with RAT and ransomware capabilities. The functionalities of the RATs
created using this tool are:
Monitor [Mouse – Keyboard – AutoSave].
Run File [Disk – Link – Memory – Script – RunPE].
WebCam [AutoSave].
Microphone.
DDoS Attack.
Location Manager [GPS – IP].
Client operation [Restart – Close – Uninstall – Update – Block – Note].
Power [Shutdown – Restart – Logoff].
Blank Screen [Enable – Disable].
Bookmarks – Browsers – All-In-One – DiscordTokens.
FileZilla – ProduKey – WifiKeys – Email Clients.
KeyLogger.
USB Spread.
Bot killer.
UAC Bypass [RunAs – Cmstp – Computerdefaults – DismCore].
Run Clipper [All Cryptocurrencies].
Ransomware [Encrypt – Decrypt].
Ngrok Installer.
HVNC.
Hidden RDP.
WDDisable.
WDExclusion.
Install [Start-up – Registry – schtasks].
We searched for EvilCoder Project samples in the wild and identified a few
active instances of XWorm, indicating that XWorm is a more prevalent and
sophisticated variant. The malware is a .NET compiled binary, using multiple
persistence and defense evasion techniques.
The malicious binary can drop multiple malicious payloads at various system
locations, can add and modify registry entries, and can execute commands. Figure
2 shows the XWorm builder panel as shown on the developer’s site.
Figure 3 – XWorm Post on Malware Developer’s Website
TECHNICAL ANALYSIS
XWorm is a .NET binary whose size is 45.5 KB. The file details of “XWorm.exe”
are:
Figure 4 – File Details of XWorm.exe
Upon execution, the malware sleeps for one second and performs various checks
such as checking for a mutex, detecting virtual machines, emulators, debugger,
sandbox environments, and Anyrun. If any of these instances are present, the
malware terminates itself.
Figure 5 – Anti Analysis Techniques Used by XWorm
The malware enumerates the installed programs in the users’ machine and checks
for strings, VMWare, and VirtualBox. If these are present, the malware
terminates itself, as shown in the figure below.
Figure 6 – Malware Checks for Virtualization Software
The malware uses the tick count of the machine to detect emulators. The malware
then calls the CheckRemoteDebuggerPresent() method to identify the debugger’s
presence in the user’s machine.
The malware can also detect the sandbox environment if “SbieDll.dll” is present
in the system. The malware specifically checks if it is running in the Anyrun
sandbox environment by checking the response text from ip-api.com.
If the response is set to “True, ” it terminates its execution. The figure below
shows the anti-analysis code snippet.
Figure 7 – Malware Performs Various Anti-Analysis Checks
To establish persistence, the malware drops itself into the start-up folder. The
malware also copies itself into the “AppData” folder and creates a scheduled
task entry.
Finally, the malware creates an autorun entry in the registry to ensure the
malware executes whenever the system restarts. The figure below shows the
persistence activities performed by the malware.
Figure 8 – Malware Routine to establish persistence on a victim machine
After establishing persistence, the malware initiates communication with the C&C
server. Then, the malware creates a new thread that collects and sends system
details to the C&C domain system6458[.]ddns[.]net on Port 6666.
Exfiltrated details include information such as processor count, UserName,
MachineName, OSVersion, Malware version, date of malware creation,
administrative privileges, webcam details, and antivirus programs installed in
the system.
Figure 9 – Malware Sending the System Details to C&C
All the important information such as C&C, encryption key, filename, and mutex
name is stored in a public class, “Settings,” as shown in the figure below.
Figure 10 – Hardcoded Configuration Details of Malware
After the initial communication, the malware waits for instructions from the C&C
server. The malware can perform multiple tasks such as keylogging, screen
capture, auto-update, self-destructing, running scripts, and ransomware
operations.
The malware has the routine Read(), which receives AES encrypted commands from
the C&C, which are then decrypted and used to perform associated operations.
Some of these important operations are discussed in the following section. The
below figure shows the code snippet of malware that performs DDoS and Clipper
operations.
Figure 11 – Routine to Perform DDoS and Clipper Operations
The malware has a routine to perform file folder operations like create
files/folder, show, or hide files/folder, exfiltrate files, etc. The figure
below shows the file operation routines.
Figure 12 – File and Folder Operations of the Malware
The following figure shows the keylogging, screen capture, and mouse operations,
along with corresponding commands.
Figure 13 – Routine for Keyboard Mouse and Screen Operations
The malware author also provides an encryption routine for ransomware
operations, as shown below.
Figure 14 – File Encryption Routine
This malware also has a routine for performing a Hidden Virtual Network
Computing (HVNC) attack. HVNC is a tactical means for malware to control a
remote machine without the victim’s knowledge. The figure below shows the
routine for performing an HVNC attack.
Figure 15 – Routine to Perform an HVNC Attack
CONCLUSION
This post showcases that even a malware developer with minimum or no
responsibility can develop malicious programs and sell them to various forums
for monetary gains.
To get more customers, the malware developers provide multiple highly impactful
and dangerous features such as ransomware, HVNC, etc., to TAs.
We have observed similar trends earlier, where malware developers provide highly
sophisticated tools to cybercriminals for their own financial gain.
We will continue monitoring the latest threat actors and trends across the
surface, deep and dark web and keep our readers informed.
OUR RECOMMENDATIONS
We have listed some essential cybersecurity best practices that create the first
line of control against attackers. We recommend that our readers follow the best
practices given below:
How to prevent malware infection?
* Download and install software only from official app stores like Play Store
or the iOS App Store.
* Use a reputed antivirus and internet security software package on your
connected devices, such as PCs, laptops, and mobile devices.
* Use strong passwords and enforce multi-factor authentication wherever
possible.
* Enable biometric security features such as fingerprint or facial recognition
for unlocking the mobile device where possible.
* Be wary of opening any links received via SMS or emails delivered to your
phone.
* Ensure that Google Play Protect is enabled on Android devices.
* Be careful while enabling any permissions.
* Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
* Regularly check the Mobile/Wi-Fi data usage of applications installed on
mobile devices.
* Keep an eye on the alerts provided by Antiviruses and Android OS and take
necessary actions accordingly.
MITRE ATT&CK® TECHNIQUES
TacticTechnique IDTechnique NameExecutionT1059.001Bypasses PowerShell execution
policyPersistenceT1547.001Registry Run Keys / Startup FolderPrivilege
EscalationT1055Process InjectionDefense EvasionT1027.003Obfuscated Files or
InformationDefense EvasionT1036.005Masquerading – Drops PE files with benign
system namesDiscoveryT1082System Information DiscoveryCommand and
ControlT1071.001Application Layer Protocol
INDICATORS OF COMPROMISE (IOCS)
IndicatorsIndicator
TypeDescription15f54e2562a9c6f51367327e9f19c11282f21a2de6687f73f0483e6fe3164973
366133968ea8bef322a22a977da1b9c7aaab9559
56b84fe8827326c715996ec14e2d6f05SHA256
SHA1
MD5XWorm.exe8cfefc291d9088ef0b3ab7dd59d8ff672e73d333c8d18bd1dff4c7695ae8af83
e8c6d68e67d853180d36116e3ba27e4f12346dc2
cd76badf66246e0424954805222e4f58SHA256
SHA1
MD5XWorm.exe096e33b9b0b4f843a7ea0259f75b4370f00ab90f3807eb89d5f0117da762900d
a7e95c1d51a278b59097524a14d042257f3e2801
a29c3748c9361f9fe19b87d3358cb46dSHA256 SHA1
MD5XWorm.exe8f9fff88c0c636c80ca0a4cfa37d3fb620289579a1ecae9ba1d3881235b482ee
93c2c2c80274ed4c663423c596d0648e8b548ec2
989b8118ff0e8e72214253e161a9887fSHA256 SHA1
MD5XWorm.exeb9a9ae029ca542aadea0b384e4cfb50611d1a92c4570db5ddc5e362c4ebe41b4
fdce6ef81ccf3d697f20c020020bbb6b51f8b1f1
e38e59e6d534262dd55a3b912bf169ccSHA256 SHA1
MD5XWorm.exe64519b4e63dbedc44149564f3d472c720fa3c6a87c9ad4f07d88d7fd1914f5b9
2edbb78ec7c8f6a561eb30fd43c31841d74217df
b97cc4a173bc566365e0ab4128f2181aSHA256 SHA1
MD5XWorm.exe8a399e51bdcd4b8d0a041236e80b3094987a80674bda839351fef1585c8c921b
af6bd2d2732269d0b6bbb78006e4980511ac8546
744a85f5ddef7c029f2f9ed816ec66efSHA256 SHA1
MD5XWorm.exeb09bf46468d9ed8b1957246f4cf7fd15679212fe9e5df7df6101179e0594cae6
72af980aaaa635bc4425b59ef523f8088b3874d5
4b8235bdd494bf5b762528dd96931072SHA256 SHA1
MD5XWorm.exeb327ec6f6dba10eb77cf47e8486059da63d1d77c3206a8a5ba381b2f1e621651
be06e7a5bff1bcd1fd27ff6789ae87513cd9d4de
fed104dae34e598ebc7fa681a39f4fcdSHA256 SHA1
MD5XBinder
Builderd0b9f3b7f87c8fda4dae8ec3606b7468b0a2d5d32b6b889f983b4ed15a8d2076
89e68bfb7e139343d838efc8d584a1a76256bc84
28347b4d82e5b28655e091dd35d218bfSHA256 SHA1
MD5XBinder
Buildercbc87f41023b27b31a0eeac9818fa06db2914b5cc7c18c9392944ddc721b4efb
9bbb4afa7dd21e37f09ce9bb81ff7ab961a20f2a
e22cdc1cd9d43143e45cc1260a87e197SHA256 SHA1
MD5XBinder
Builderf89b62d1cf8d2bfd83be841187502318817bc58725a5409c1c2fb6c0c7b14959
716bf966c68ac8b120b8029a294e9c5d9d21f637
8ae59924803c3ea7b8da29786bc4f332SHA256 SHA1
MD5XBinder
Client83d59c2eb05891dcd30973ebe5c04aab99bd9371323522e9d968f67a3423d13d
25b7a76554add5b5ed85e9caed7c0ab67b8cb118
ab67fe7c24d9c075ef7567d796cc5544SHA256 SHA1
MD5XBinder
Clientd9979fead904eb5fc9f0c0f99c6551b05940f94d001411d611ad8c95b3058769
2ee39858f4eabf1e469e1934277e61fe6dd5794a
93ec63f85938d09a4161b8569014adeeSHA256 SHA1
MD5XBinder
Client107ac41ba6ecd2025027721dc98307bd2859d473b1eedabc666e7dc12f537f77
2249bbf4bbfcc7aec0d6e35803074433c4aa6ae8
651103da17aae5c2e3fc8f9ab45140d2SHA256 SHA1
MD5XBinder
Client6cf9c275f41580a31b8869f9173589705b7ce998dfff58f735f66b97d89f08fd
046c0de06a918ed6b1b6a232e276db55ae5b48ee
7ae4668d2e693daa13a81c9cbeaeb31fSHA256 SHA1
MD5XBinder
Client40d68523748f6eaf765970a40458faccbe84ef5dff7acbdaf29ac5a69d7cae6f
a6ff2293ae5bfd10dedb93bfbb12b1ec3faabfe0
594472ed0352490ab2a8f89e68d30e08SHA256 SHA1
MD5XBinder
Client81a3baf389888e4d554e74975fe15937a502c3b9d8c494b2f0ce4c25deb75b45
d76ac6a11653c3cf7f46cb597bd8c38e5a78e124
1263b78103ae7586a1c982e5db37e1c7SHA256 SHA1
MD5XBinder
Client4e019e68320099ff0e80a7598053d5968ee8ed91c30cc794a47f9f2f0f3f45de
41f0699c96e58aadc78d0c50eaf699d9f566698d
8cdaf4513877c0d4ffa3bbfabb3d44c5SHA256 SHA1
MD5XBinder
Client0aae80e6ca6cbdc0a79dbdf30767182edd94ed65bc378eb6e39d2b68fd78b8e0
6b16d72f6cae6d6ee7c9ed4d2a5a044effd3ab8f
f3170f958826b128145589fc21ef7f32SHA256 SHA1
MD5XBinder
Client0d875a09bf7fb5088aa21f26110db96d1963e743535fd16f0ceb3d16683c2921
a00b7c3c250c6546ac0d4f349379d943432ef573
f2341a3d23188aefb43735b1fc68f7c8SHA256 SHA1
MD5XBinder
Client21bcba3634c4ad91993b5033179a22b77d1d8ed1da1d1cdd506f8d8a03bc0251
2f7801f2e18aa4abe2bc7964ea4626f5949feb2f
ba27b6fe77a27d890b02e9901a1a0335SHA256 SHA1
MD5XBinder
Clientedab4840b84e16587b62b7133bb7fa030d21fcd6658c976b2b9ececa2453ec2b
42a3c7e173f7951055ccb226cdc768a0e70ddeb3
a2431ec170f3cd0d1cd8dc1808a9d967SHA256 SHA1
MD5XBinder
Client14a661bbdf915bfde309a2d42c0729fac10ce44d12c66f24b9136f4aae731f6e
24a4a5262ccb6a5b2c5ec2b5f6186bf3c6352f07
f5e96cfa82804513c81c7548cad9bfc0SHA256 SHA1
MD5XBinder
Client54f292586ec66057a859df0225b1338c2b701d1e50e3137e94235375cd9e8c94
58e6fb22e83c856e2b88b5f9a6352d999be2b374
63d1d6e2ab3c1a306fc477860f45a264SHA256 SHA1
MD5XBinder
Cliente2a4035f3a4f473a79f6b11f6b95254180052d5e6022b5d40fa8ea307abbfbe3
b29136f7f196229630aaaf6bba0a1c184f3b92b0
c4bdbb3cc647499b082dd6ea44d0c67bSHA256 SHA1
MD5XBinder
Client1eba59961ce6b1c1a8741e488cfd8012cbd6b3f4dc8540469a8dd00e8807b60f
4c891516487d78a854104720b83be59af43a8df3
54b32e41c9c4b6f8bab625fa6f4759e4SHA256 SHA1
MD5XBinder Client
RELATED
UAC-0184 ABUSES PYTHON IN DLL SIDELOADING FOR XWORM DISTRIBUTION
UAC-0184’s malware campaign targeting Ukraine with the XWORM RAT, leveraging
Python to carry out DLL Sideloading.
June 25, 2024
In "Malware"
SNEAKY XWORM USES MULTISTAGED ATTACK
Threat Actors Leveraging WebDAV Servers for Covert Operations Threat Actors
(TAs) frequently utilize multistage attacks to increase the likelihood of
successfully delivering malicious payload by evading detection from antivirus
products and creating a complex and intricate attack structure that poses
challenges for analysis. The TAs commonly employ LOLBin (Living…
July 28, 2023
In "Malware"
DEEP DIVE ANALYSIS – BORAT RAT
Cyble Research Labs analyzes Borat , a sophisticated RAT variant that boasts a
combination of Remote Access Trojan, Spyware, Ransomware and DDoS capabilities.
March 31, 2022
In "Remote Access Trojan"
Technical Content! Subscribe to Unlock
Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents
Email
Country
Phone
Unlock this Content
GET THREAT ASSESSMENT REPORT
Identify External Threats Targeting Your Business
Get My Report
Free
Search for your darkweb exposure
Use Cyble's Largest Dark Web Monitoring Engine to Assess Your Exposure. Make
Sure You're Aware of the Risks by Searching Through Our 150,447,938,145 Records!
We Have Over 50,000 Data Breaches, Several Hacking Forums, Conversations
Indexed.
Download Now
Cybercrime Magazine · AI's Impact On Cybersecurity. Microsoft Recall & Beyond.
Beenu Arora, Co-Founder & CEO, Cyble.
Business Email Address*
Type your email…
Subscribe Now
Share the Post:
PrevPreviousBianLian: New Ransomware variant on the rise
NextDissecting IBAN ClipperNext
RELATED POSTS
CISA ADDS THREE CRITICAL VULNERABILITIES TO KNOWN EXPLOITED VULNERABILITIES
CATALOG
September 10, 2024
THE RE-EMERGENCE OF CVE-2024-32113: HOW CVE-2024-45195 HAS AMPLIFIED
EXPLOITATION RISKS
September 10, 2024
QUICK LINKS
Main Menu
* Home
* About Us
* Blog
* Cyble Partner Network (CPN)
* Press
* Responsible Disclosure
* Knowledge Hub
* Sitemap
PRODUCTS
Main Menu
* AmIBreached
* Cyble Vision
* Cyble Hawk
* Cyble Odin
* The Cyber Express
SOLUTIONS
Main Menu
* Attack Surface Management
* Brand Intelligence
* Cyber Threat Intelligence
* Dark Web Monitoring
* Takedown and Disruption
* Vulnerability Management
PRIVACY POLICY
Main Menu
* AmIBreached
* Cyble Vision
* Cyble Trust Portal
SCHEDULE A PERSONALIZED DEMO TO UNCOVER THREATS THAT NO ONE TELLS YOU
Book a Demo
© 2024. Cyble Inc.(Leading Cyber Threat Intelligence Company). All Rights
Reserved
Twitter Linkedin Youtube
Request a demo
Upcoming Events
Research Reports
Talk To Sales
START TYPING AND PRESS ENTER TO SEARCH
Begin Search...
DISCOVER MORE FROM CYBLE
Subscribe now to keep reading and get access to the full archive.
Type your email…
Subscribe
Continue reading
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
Stay ahead in Cybersecurity with Cyble Research. You can unsubscribe at any
time.
AllowCancel
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our 19 advertising partners use cookies and
similar technologies on this site and use personal data (e.g., your IP address).
If you consent, the cookies, device identifiers, or other information can be
stored or accessed on your device for the purposes described below. You can
click "Allow All" or "Decline All" or click Settings above to customise your
consent regarding the purposes and features for which your personal data will be
processed and/or the partners with whom you will share personal data.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalised content profile; ●
Select personalised content; ● Personalised advertising, advertising
measurement, audience research and services development; ● Services development.
For some of the purposes above, our advertising partners: ● Use precise
geolocation data. Some of our partners rely on their legitimate business
interests to process personal data. View our advertising partners if you wish to
provide or deny consent for specific partners, review the purposes each partner
believes they have a legitimate interest for, and object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences