Key Takeaways
What is XWorm?
CERT Polska recently reported on XWorm, a .NET based, modular, multi-purpose malware family most often used as a RAT. It has been active in the wild since at least 2022.
The sample CERT Polska analyzed was distributed via malspam containing a .lzh file. The .lzh file contained an .EXE. The use of an .lzh file was an interesting choice, as it is a rarely used open-source file format, whose last stable release was over 30 years ago. CERT Polska assessed this file format was chosen in an attempt to evade detection.
CERT Polska analyzed the .EXE and found that it was not heavily obfuscated and was mostly likely written in VisualBasic. Upon checking the file’s resources, they found three resources. Two were images, including an explicit NSFW image of a female, and a bitmap containing seemingly random pixels. A third resource contained what appeared to be random strings.
CERT Polska noted reverse engineering the code was a challenge, as the malicious code was hidden amongst legitimate code that was probably copied from an open-source project. CERT Polska researchers found that the malicious code snippet was hidden in an InitializeComponent method of the main window. The program performed a few simple operations on a long string found in the code, converted it to bytes, and then loaded it as .NET assembly. It then called a method named DeleteMC on the result.
Unpacking this payload led to a binary that decrypted another layer of malware and loaded it with AppDomain.Load. The passed resource_name ended up being the file name of the suspicious bitmap discovered earlier in the reversing process. After decrypting the bitmap, the researchers obtained the unpacked sample, which contained obfuscated code.
Following decryption, the researchers finally had the unpacked XWorm sample. The XWorm sample was compact. Its configuration was stored unencrypted in a static class, and the data itself was encrypted using AES ECB with the MD5 hash of the “Mutex” field as the key.
XWorm’s capabilities include keylogging, a USB spreader capability, an uninstaller capability, and simple antivirus evasion capabilities. As a RAT, it also has C2 communication capabilities and the ability to download plugins.
IOCs
Hashes
PolySwarm has over 1700 samples of XWorm and is monitoring for additional samples. A limited selection of XWorm hashes is provided below.
64f690f98b36dd0fa9bc7e4cbfc9b64201a9f3ab66c3f122efdfd7bb755b3434
3264d09d3a398417226b7d346c2fc4757ffa445373763e2d7c2f18ef6edb2354
d0354d9dba1229815a1c14067e84ac5c113bfbd398d95e5847de76592e03602f
7a61fcf00b368d4e5efe55c3d5b09b417422f081b4154a5b264a211c30959ed2
f995d58bbe6383947308e35ffc36eba0fe3e357c2d4d9612dbf4bb2fa0f992b4
You can use the following CLI command to search for all XWorm samples in our portal:
$ polyswarm link list -f XWorm
C2 Information
PolySwarm analysts extracted the following C2 information from our XWorm samples.
01001001.hopto[.]org
0.tcp.ap.ngrok[.]io
0.tcp.sa.ngrok[.]io
103.114.106[.]183
103.170.118[.]35
103.82.25[.]115
103.89.90[.]254
103.89.90[.]54
104.220.158[.]189
104.234.239[.]223
104.250.188[.]95
10.9.106[.]226
134.209.31[.]145
147.185.221[.]16
151.106.34[.]192
16.ip.gl.ply[.]gg
172.28.174[.]227
180.ip.ply[.]gg
185.239.237[.]162
188.142.164[.]175
192.168.1[.]66
192.168.3[.]176
192.168.35[.]130
192.168.43[.]70
20.235.249[.]143
211.ip.ply[.]gg
2.90.111[.]24
theslayer.ddns[.]net
93.169.183[.]100
37.5.252[.]247
41.216.188[.]29
4.tcp.eu.ngrok[.]io
6.tcp.eu.ngrok[.]io:10043
7.tcp.eu.ngrok[.]io
2.tcp.eu.ngrok[.]io
79.112.239[.]222
7.tcp.eu.ngrok[.]io
82.216.54[.]76
82.216.54[.]76
86.217.176[.]218
alw7sh.ddns[.]net
haroun.ddns[.]net
rattfilly.ddns[.]net
swezy.ddns[.]net
130.51.20[.]126
132.145.149[.]132
13.48.157[.]143
13.48.194[.]80
13.48.68[.]245
138.128.241[.]237
139.84.228[.]75
140.228.29[.]162
141.94.61[.]23
144.202.69[.]96
146.19.230[.]52
146.70.162[.]122
147.185.221[.]16
147.185.221[.]16
192.168.1[.]9
upon-uzbekistan.gl.at.ply[.]gg
147.185.221[.]180
147.185.221[.]223
152.228.179[.]67
15.228.35[.]69
15.228.89[.]234
152.67.162[.]194
155.138.163[.]166
157.245.65[.]139
16.16.96[.]108
163.5.215[.]212
167.71.56[.]116
168.196.90[.]183
16.ip.gl.ply[.]gg
171.22.28[.]214
172.177.19[.]106
172.23.250[.]47
172.233.206[.]110
172.28.93[.]20
172.81.61[.]206
172.99.233[.]17
173.0.60[.]172
173.212.237[.]121
178.236.246[.]29
178.236.247[.]70
179.118.199[.]252
180.ip.ply[.]gg
181.ip.ply[.]gg
18.230.117[.]219
18.231.156[.]119
185.110.188[.]112
185.179.218[.]73
185.179.219[.]117
185.225.73[.]231
185.225.73[.]47
185.228.72[.]8
185.94.29[.]178
188.134.71[.]71
192.121.87[.]108
192.168.0[.]108
192.168.0[.]111
192.168.100[.]239
192.168.100[.]1
192.168.100[.]3
192.168.1[.]121
192.168.119[.]131
192.168.1[.]221
192.168.1[.]56
147.185.221[.]16
192.168.1[.]9
192.168.199[.]244
192.168.240[.]135
192.168.3[.]34
192.168.56[.]1
176.160.207[.]4
192.168.68[.]102
192.168.68[.]114
192.168.88[.]1
192.168.88[.]23
79.184.28[.]103
79.184.16[.]35
193.161.193[.]99
193.42.33[.]22
194.145.138[.]88
194.59.31[.]105
194.9.6[.]69
194.ip.ply[.]gg
198.50.187[.]74
199.115.193[.]171
1.tcp.ngrok[.]io
20.197.231[.]178
207.32.216[.]103
20.83.154[.]19
209.25.140[.]181
209.25.141[.]180
209.25.141[.]181
209.25.141[.]2
212.2.236[.]208
212.87.204[.]124
212.ip.ply[.]gg
223.ip.ply[.]gg
2.tcp.eu.ngrok[.]io
2.tcp.us-cal-1.ngrok[.]io
31.220.76[.]124
35.220.199[.]19
37.120.132[.]91
3llah.vpndns[.]net
41.216.188[.]29
45.141.26[.]8
45.154.98[.]251
45.94.4[.]108
4Mekey.myftp[.]biz
4.tcp.eu.ngrok[.]io
4.tcp.ngrok[.]io
5.104.75[.]36
51.195.198[.]173
51.81.42[.]49
51.89.220[.]50
52.67.123[.]186
54.249.72[.]19
5.78.76[.]189
5.tcp.eu.ngrok[.]io
62.234.41[.]178
64.235.38[.]13
64.235.61[.]43
65.0.50[.]125
65.109.10[.]250
67.213.221[.]18
6.tcp.eu.ngrok[.]io
6.tcp.ngrok[.]io
6.tcp.us-cal-1.ngrok[.]io
70.36.101[.]173
71.94.90[.]168
74.249.51[.]255
787.67.79[.]90
79.134.225[.]86
7.tcp.eu.ngrok[.]io
7.tcp.ngrok[.]io
80.76.51[.]232
81.230.10[.]189
82.117.253[.]63
85.217.144[.]175
87.207.144[.]125
88.214.56[.]103
8.tcp.ngrok[.]io
8.tcp.us-cal-1.ngrok[.]io
91.200.102[.]86
91.45.164[.]164
93.114.145[.]94
95.216.128[.]12
academic-submit.at.ply[.]gg
according-psp.at.ply[.]gg
add-eating.at.ply[.]gg
adult-infections.at.ply[.]gg
advertise-standings.at.ply[.]gg
amineaskary234.ddns[.]net
among-publication.at.ply[.]gg
anon19-52188.portmap[.]host
apiupdate.duckdns[.]org
artist-neither.at.ply[.]gg
art-mc.at.ply[.]gg
arts-guides.at.ply[.]gg
arts-tasks.at.ply[.]gg
authority-netscape.at.ply[.]gg
bagikeh241-22487.portmap[.]host
batman111.ddns[.]net
bed-cheat.at.ply[.]gg
blackid-48194.portmap[.]host
books-arbor.at.ply[.]gg
br1.localtonet[.]com
braven.ddns[.]net
brown-il.at.ply[.]gg
bsrpppjamui.duckdns[.]org
businesses-dig.gl.at.ply[.]gg
caloi1920.ddns[.]net
canyouseeme22.ddns[.]net
cd-simon.at.ply[.]gg
changes-hl.at.ply[.]gg
chydnoy-24488.portmap[.]io
classic-lovers.at.ply[.]gg
clear-trash.at.ply[.]gg
cnet-collection.gl.at.ply[.]gg
compare-hill.gl.at.ply[.]gg
com-retailer.gl.at.ply[.]gg
condition-dear.gl.at.ply[.]gg
conditions-monthly.at.ply[.]gg
considered-stars.at.ply[.]gg
contains-defense.at.ply[.]gg
copy-marco.gl.at.ply[.]gg
cross-romania.gl.at.ply[.]gg
custom-proc.at.ply[.]gg
daoudvip.ddns[.]net
dapperdesigns.for-better[.]biz
dating-jesse.gl.at.ply[.]gg
deals-softball.at.ply[.]gg
dei12345-48929.portmap[.]host
digital-oracle.gl.at.ply[.]gg
DizzyWizzy-61490.portmap[.]host
dzghost10.ddns[.]net
Emes-35574.portmap[.]host
eurotracking.ddns[.]net
f8terat.ddns[.]net
face-kissing.gl.at.ply[.]gg
fair-my.at.ply[.]gg
fatality.ddns[.]net
federal-worst.at.ply[.]gg
fee-harmful.gl.at.ply[.]gg
fee-harmful.gl.at.ply[.]gg:41934
foranother1337.publicvm[.]com
frank4893.duckdns[.]org
frostycheats-30646.portmap[.]host
futurist2.ddns[.]net
gartnerllc.ddns[.]net
gegeo.duckdns[.]org
germany-vs.at.ply[.]gg
gift-my.gl.at.ply[.]gg
goheg99417-59409.portmap[.]host
gold-peoples.gl.at.ply[.]gg:56190
gold-peoples.gl.at.ply[.]gg
googlplayservice.ddns[.]net
gtagtagta4321.ddns[.]net
gtagtagtali321.ddns[.]net
gyiuogigf.duckdns[.]org
h2ckedbyzngyy.ddns[.]net
hack-775[.]tk
hair-completely.at.ply[.]gg
hfhhdh.hopto[.]org
his-observer.gl.at.ply[.]gg
hope-mutual.at.ply[.]gg
http://103.118.30[.]113/ip2
https://fvia.id[.]vn/ip
https://fviatool[.]com/ip
https.myvnc[.]com
https://rentry[.]co/vy6o4/raw
https://want[.]pw/raw.php.id=0
ichbineinvogel2[.]duckdns[.]org
iie.ddns[.]me
inc-earlier.gl.at.ply[.]gg
includes-ear.at.ply[.]gg
includes-ear.at.ply[.]gg
income-knit.at.ply[.]gg
industrial-retail.at.ply[.]gg
instruments-specials.at.ply[.]gg
int-certainly.at.ply[.]gg
investment-unwrap.gl.at.ply[.]gg
is-crawford.at.ply[.]gg
items-cl.gl.at.ply[.]gg
it-hansen.at.ply[.]gg
iuhwdqnjk.duckdns[.]org
jajaovh.duckdns[.]org
japanese-elephant.at.ply[.]gg
jeanjaques.ddns[.]net
jeje.linkpc[.]net
jersey-council.at.ply[.]gg
johnmcro-43756.portmap[.]host
jotinha.sytes[.]net
kids-abstract.at.ply[.]gg
killertype.ddns[.]net
knowledge-winds.at.ply[.]gg
kriz-nas.ddnss[.]de
like-keeps.at.ply[.]gg
line-ellis.gl.at.ply[.]gg
links-recovered.at.ply[.]gg
list-slow.gl.at.ply[.]gg
m0ney7.ddns[.]net
may-donations.gl.at.ply[.]gg
messages-dash.gl.at.ply[.]gg
methods-workout.at.ply[.]gg
midia.ddns[.]net
miles-c.at.ply[.]gg
mini-ohio.gl.at.ply[.]gg
miopsbn.con-ip[.]com
mo1010.duckdns[.]org
mode-apollo.gl.at.ply[.]gg
momentmoney79.duckdns[.]org
monkeys11-39982.portmap[.]host
mrindianhackervijay.duckdns[.]org
ms-teams.duckdns[.]org
multi-asia.gl.at.ply[.]gg
mycoolhostlol.ddns[.]net
myip.myftp[.]org
name-shadows.at.ply[.]gg
nikvenom.ddns[.]net
no-sofa.at.ply[.]gg
nov231122.con-ip[.]com
office-dawson.duckdns[.]org
onsecurity.onthewifi[.]com
options-november.gl.at.ply[.]gg
over-llp.gl.at.ply[.]gg
paul-positive.at.ply[.]gg
paycei.hopto[.]org
personal-festival.gl.at.ply[.]gg
pipirka-39415.portmap[.]host
pressure-powers.gl.at.ply[.]gg
prices-grab.at.ply[.]gg
privatedomain.ddns[.]net
problem-progress.at.ply[.]gg
programs-scsi.at.ply[.]gg
R3dm0v3-52006.portmap[.]host
raizen.serveftp[.]com
Raizen.serveftp[.]com
rated-david.at.ply[.]gg
ready-stereo.gl.at.ply[.]gg
received-cuba.gl.at.ply[.]gg
received-cuba.gl.at.ply[.]gg
147.185.221[.]16
16.ip.gl.ply[.]gg
registered-dt.at.ply[.]gg
require-cards.gl.at.ply[.]gg
requirements-nav.at.ply[.]gg
require-sonic.at.ply[.]gg
return-interpreted.at.ply[.]gg
rick63.publicvm[.]com
risk-groove.gl.at.ply[.]gg
rodfalcao-41253.portmap[.]host
rules-views.at.ply[.]gg
Sakilafra-22838.portmap[.]io
same-impact.at.ply[.]gg
same-impact.at.ply[.]gg
Sanael-30497.portmap[.]host
saturbis1111-31905.portmap[.]host
save-corp.gl.at.ply[.]gg
sbss.ddns[.]net
sdfwdewdwe.ddns[.]net
secded21.duckdns[.]org
seems-racing.gl.at.ply[.]gg
selection-chorus.gl.at.ply[.]gg
sepatico.duckdns[.]org
septiembre2022.duckdns[.]org
server-client.sytes[.]net
serverwindor.duckdns[.]org
shows-brussels.gl.at.ply[.]gg
simply-cash.at.ply[.]gg
society-painted.at.ply[.]gg
soon-lp.at.ply[.]gg
speed-awards.gl.at.ply[.]gg
standard-seekers.at.ply[.]gg
starting-brave.at.ply[.]gg
stores-anytime.at.ply[.]gg
superhack3.ddns[.]net
swezy.ddns[.]net
79.253.77[.]103
teddytroja.duckdns[.]org
telebit[.]cloud
testarosa.duckdns[.]org
testbot123.ddns[.]net
that-oecd.at.ply[.]gg
thehill.ddns[.]net
to-laden.gl.at.ply[.]gg
topics-junior.at.ply[.]gg
tr2.localto[.]net
trial-pour.at.ply[.]gg
u-latter.at.ply[.]gg
unit-satisfactory.at.ply[.]gg
unless-inflation.at.ply[.]gg
up-scanners.gl.at.ply[.]gg
us1.localto[.]net
us-result.at.ply[.]gg
van-floppy.gl.at.ply[.]gg
video-unlikely.at.ply[.]gg
Viiper1337-29699.portmap[.]host
virtual-blonde.gl.at.ply[.]gg:57778
virtual-blonde.gl.at.ply[.]gg
viruswashere.ddns[.]net
wasmjmal052-28109.portmap[.]host
webchek.redirectme[.]net
windowsdriver.theworkpc[.]com
windowsmanagerhost.ddns[.]net
windows.theworkpc[.]com
winter-rd.at.ply[.]gg
wiz.bounceme[.]net
worknow.con-ip[.]com
ws728sb.ddns[.]net
year-receiver.at.ply[.]gg
years-distributor.at.ply[.]gg
you-irc.at.ply[.]gg
youtubevideos.ddns[.]net
zorro12.ddns[.]net
zorro5772.ddns[.]net
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.