Built to hide, move and continue on the target, Xworm rat was deployed to misbehave a downloader and execute a valid windows API to bring and execute API Hashing, “Anhid” calls, calls, calls, calls, calls, heavy obecation and encryption with levels with anti-inflammation techniques.
Multi-stage attack hides the rat within the spreadsheet
The “Ole10NATive” stream extracted from the .XLAM collection in the transition email hides an encrypted shellcode drop. Forcepoint analysts used XORESERCH And to find the execution of the SCDBG shellcode and to follow it, the API disclosure the call that downloads a .NET executable for the victim’s application data folder.
“. When analyzing the compiled bayonaries, it is good to focus on classes/methods using ‘drawing’,” Kumar told“The reason for this is that a lot of .NET malware will load a bit of a bit or object from its resource section and load the next step into memory.”
He unpaclies .NET’s executable then unpacks a byte array and uses a stegnaography image resource to load a second-stage DLL into memory, which in turn reflects a third-step module-Xworm rat. Each stage is loaded or executed in memory, on-disc artifacts are reduced and efforts to detect are complicated.
