“A fileless .NET stage loaded in reminiscence, adopted by course of hollowing into msbuild.exe, is a clear ‘mix in’ transfer that leverages a authentic .NET-capable binary and complicates attribution for simplistic detections,” Soroko mentioned. “Fortinet’s rationale for msbuild.exe is very helpful for defenders as a result of it ties the LOLBin option to the malware’s .NET runtime wants, not simply generic masquerading.”
As soon as lively, XWorm communicates with its C2 utilizing an AES-encrypted packet, which helps a broad plugin ecosystem. That modularity, the researchers famous, expands its capabilities past distant entry, enabling credential theft, knowledge exfiltration, disruption, and modernization paths relying on what the operator needs.
Fortinet mentioned XWorm helps a variety of operator instructions, together with system management (CLOSE, uninstall, replace), file obtain and execution (DW, LN), plugin loading, screenshot seize ($Cap), keylogger retrieval, DDoS management, and shutdown or restart capabilities. The disclosure additionally listed indicators of compromise tied to the marketing campaign, together with phishing URLs and domains used to host HTA and loader information, the C2 server, file hashes for the malicious Excel attachment, and the ultimate XWorm payload.
