Date: 01/02/2025
Severity: Medium
Summary
XWorm Malware Targets United Kingdom’s Hospitality Sector refers to the use of XWorm, a versatile Malware-as-a-Service (MaaS) available on darknet forums, which is being deployed to target businesses within the UK’s hospitality sector. XWorm primarily functions as a Remote Access Tool (RAT), giving attackers control over compromised systems. In addition to its RAT capabilities, XWorm also includes self-propagating features, enabling it to spread across networks autonomously. This makes it a significant threat to hospitality organizations, potentially compromising sensitive data and systems.
Indicators of Compromise (IOC) List
URL/Domain | https://extraguestreview.com http://92.255.57.155/Capcha.html http://92.255.57.155/1/1.png http://92.255.57.155/1/2.png |
IP Address | 92.255.57.155 |
Hash |
6c327eec94240fa4d1b7141396a7a1e01d76120ab7fca9ae38e5202ce2e916f9
ffac95298176d8441ae088c6d5e95b0892afa9768876d3c749404eb31d4b4b6a |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "https://extraguestreview.com" or url like "https://extraguestreview.com" or userdomainname like "http://92.255.57.155/1/2.png" or url like "http://92.255.57.155/1/2.png" or userdomainname like "http://92.255.57.155/1/1.png" or url like "http://92.255.57.155/1/1.png" or userdomainname like "http://92.255.57.155/Capcha.html" or url like "http://92.255.57.155/Capcha.html" |
Detection Query 2 | dstipaddress IN ("92.255.57.155") or ipaddress IN ("92.255.57.155") or publicipaddress IN ("92.255.57.155") or srcipaddress IN ("92.255.57.155") |
Detection Query 3 |
sha256hash IN ("6c327eec94240fa4d1b7141396a7a1e01d76120ab7fca9ae38e5202ce2e916f9","ffac95298176d8441ae088c6d5e95b0892afa9768876d3c749404eb31d4b4b6a") |
Reference:
https://www.forcepoint.com/blog/x-labs/xworm-malware-targets-united-kingdom-hospitality-sector