Date: 07/03/2025
Severity: High
Summary
XWorm is a widely used and evolving remote access trojan (RAT) known for features like keylogging, remote access, and data theft. Its modular design, ease of use, and regular updates make it attractive to cybercriminals. Threat actors often use XWorm in attacks on the software supply chain and gaming sectors. In one campaign, XWorm and AsyncRAT were used to gain access and deploy ransomware built with the leaked LockBit Black builder.
Indicators of Compromise (IOC) List
Hash : | 78b15b9b54925120b713a52a09c66674463bd689e3b01395801ef58c77651127
0f10d6cbaf195a7b0c9f708b7f0a225e2de29beb769bdf8d1652b682b1c4679f
28859e4387fefb9d1f36fdf711d1b058df5effe21d726cfe6a9a285f96db1c98
327a98bd948262a10e37e7d0692c95e30ba41ace15fe01d8e614a9813ad9d5cf
354d082858bfc5e24133854ff14bb2e89bc16e1b010b9d3372c8370d3144cdb9
4a885cec3833f3872e1e38f9149936fe6bcda2181e0df163556497d42383cffa
665e41e416954d5ff623a37c7bce17d409c11e003c29ae9ddeb25fc736e533c7
8044220d34e77501df4a9831ac27802261ea2309f104bb49ac00301df36dee72
9db47f709898b79c9ac07e6352de9be05d6b2b91902c146272e47c17c6b8d5b2
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Hash : | sha256hash IN ("8044220d34e77501df4a9831ac27802261ea2309f104bb49ac00301df36dee72","665e41e416954d5ff623a37c7bce17d409c11e003c29ae9ddeb25fc736e533c7","9db47f709898b79c9ac07e6352de9be05d6b2b91902c146272e47c17c6b8d5b2","0f10d6cbaf195a7b0c9f708b7f0a225e2de29beb769bdf8d1652b682b1c4679f","354d082858bfc5e24133854ff14bb2e89bc16e1b010b9d3372c8370d3144cdb9","78b15b9b54925120b713a52a09c66674463bd689e3b01395801ef58c77651127","28859e4387fefb9d1f36fdf711d1b058df5effe21d726cfe6a9a285f96db1c98","327a98bd948262a10e37e7d0692c95e30ba41ace15fe01d8e614a9813ad9d5cf","4a885cec3833f3872e1e38f9149936fe6bcda2181e0df163556497d42383cffa")
|
Reference:
https://www.splunk.com/en_us/blog/security/xworm-shape-shifting-arsenal-detection-evasion.html