Constructed to cover, transfer, and persist on the goal, the XWorm RAT was deployed abusing respectable Home windows APIs to fetch and execute a downloader, together with layered anti-analysis strategies, together with API hashing, “unhooked” calls, heavy obfuscation, and encryption.
Multi-stage assault hides RAT inside spreadsheets
The “OLE10Native” stream, extracted from the .xlam archive within the an infection electronic mail, conceals an encrypted shellcode blob. Forcepoint analysts used XORSearch and scdbg to search out the shellcode’s execution offset and emulate it, revealing API calls that downloaded a .NET executable to the sufferer’s Software Data folder.
“Whereas analysing the .NET compiled binaries, it’s good to concentrate on the lessons/strategies that use ‘Drawing,’” Kumar identified. “The rationale for that is that plenty of .NET malware will load a bitmap or object from its useful resource part and reflectively load the subsequent stage into reminiscence.”
That .NET executable then unpacks a byte array and makes use of a steganography picture useful resource to load a second-stage DLL into reminiscence, which in flip reflectively injects a third-stage module–the XWorm RAT itself. Every stage is loaded or executed in reminiscence, minimizing on-disk artifacts and complicating detection efforts.
