XWorm Malware Analysis: SOC & IR Perspective on Persistence, C2, and Anti-Analysis Tactics

medium.com · Zyad Elzyat · 7 months ago · research
quality 7/10 · good
0 net
Tags
malware persistence c2 anti-analysis
XWorm Malware Analysis: SOC & IR Perspective on Persistence, C2, and Anti-Analysis Tactics | by Zyad Waleed Elzyat - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original XWorm Malware Analysis: SOC & IR Perspective on Persistence, C2, and Anti-Analysis Tactics XWorm malware analysis from SOC & IR perspective. Learn about persistence, C2, encryption, anti-analysis tactics, and key IOCs for… Zyad Waleed Elzyat Follow ~4 min read · September 12, 2025 (Updated: September 12, 2025) · Free: Yes XWorm malware analysis from SOC & IR perspective. Learn about persistence, C2, encryption, anti-analysis tactics, and key IOCs for detection & response. Introduction In recent years, XWorm malware has emerged as one of the more versatile and evasive threats targeting enterprises and individuals alike. Written in .NET , this remote-access trojan (RAT) and backdoor family has been observed delivering persistent access , data exfiltration , and encrypted command-and-control (C2) communication . In this article, we break down the findings of an in-depth analysis of two XWorm samples , exploring their encryption, persistence mechanisms, anti-analysis tricks, and the Indicators of Compromise (IOCs) defenders need to know. 📌 This report is written from a SOC (Security Operations Center) and Incident Response (IR) perspective, focusing on actionable insights for detection, containment, and mitigation. Table of Contents Malware Samples Information Command and Control (C2) Infrastructure De-Obfuscation Techniques Malware Encryption Algorithm Persistence Mechanisms Information Gathering and Exfiltration Anti-Analysis Techniques IOC's Malware Samples Analyzed Two malicious executables were reviewed, both heavily obfuscated .NET binaries : Sample 1 Details : MD5 7c7aff561f11d16a6ec8a999a2b8cdad SHA-1 a3f6e039f346a7234bf5243568c05d63cc01fd87 SHA256 ced525930c76834184b4e194077c8c4e7342b3323544365b714943519a0f92af Type .NET Executable Sample 2 Details : MD5 806e784be61b0321fb659dab71a109f8 SHA-1 6fa16df45e33d90c75a43a2412a7fe98ab7fb859 SHA-256 94ec50f2df421486907c7533ee4380c219b57cf23ebab9fce3f03334408e4c06 Type .NET Executable Both exhibited high entropy , signaling packing and string obfuscation , consistent with MITRE T1027.002 — Software Packing . 🔍 Takeaway: Always submit suspicious hashes to VirusTotal , Triage , or AnyRun during SOC triage. Command and Control (C2) XWorm uses multiple IPs, domains, and Telegram channels for command-and-control. This redundancy makes simple IP blocking insufficient. Key C2 infrastructure identified: IPs : 104.208.16.94 , 185.117.249.43 , 20.69.140.28 Domains : copy-marco.gl.at.ply.gg , fp2e7a.wpc.2be4.phicdn.net Telegram Bot API : leveraged for exfiltration and tasking Obfuscation & De-Obfuscation XWorm relies on string encryption and packing to evade signature-based detection. Tools like de4dot can be used to reverse-engineer .NET obfuscation. https://github.com/kant2002/de4dot Post-de-obfuscation, analysts gain access to clear AES-CBC encryption routines and persistence logic. Encryption Algorithm XWorm protects its C2 traffic with AES (RijndaelManaged in CBC mode) , ensuring sensitive exfiltrated data remains concealed. This makes network-based detection harder, shifting the burden to behavioral monitoring and endpoint detection . Persistence Mechanisms Persistence is achieved through multi-layered techniques , ensuring reinfection after reboot: Scheduled Tasks (MITRE T1053.005) Registry Run Keys / Startup Folder (MITRE T1547.001) AppData Placement for stealthy execution Information Gathering & Exfiltration XWorm collects system metadata , including: OS version Username & machine ID CPU/GPU/RAM details Connected USB devices This telemetry is sent to Telegram , tagged with malware version identifiers like XWorm V5.0 . Anti-Analysis Techniques XWorm implements robust evasion strategies : Debugger Detection — exits if a debugger is attached. VM / Sandbox Detection — scans for VMware and VirtualBox . Cloud/Hosting Checks — queries ip-api.com to detect AWS/Azure/Google Cloud . OS Version Filtering — avoids execution on older Windows (e.g., XP). These map to MITRE ATT&CK IDs: T1497.001, T1497.002, T1622 . Indicators of Compromise (IOCs) Add these IOCs to your threat-hunting lists, blocklists, and detection rules: 104.208.16.94 150.171.22.17 151.101.22.172 184.25.113.6 184.25.113.61 185.117.249.43 20.69.140.28 20.99.133.109 185.117.250.169:7000 66.175.239.149:7000 copy-marco.gl.at.ply.gg fp2e7a.wpc.2be4.phicdn.net hxxps[://]api[.]telegram[.]org/bot XWorm V5.0 WmiPrvSE.exe WmiPrvSE.lnk Soundman.exe hxxps[://]api[.]telegram[.]org/bot5835520796:AAEDP1FiQ-0LFxO6-eDNugzON7bdAxLBrXs/sendMessage?chat_id=-4094900225&text=%E2%98%A0%20[XWorm%20V5.0]New%20Clinet%20:%20899A34CB785F521B3558UserName%20:%20azureOSFullName%20:%20Microsoft%20Windows%207%20Professional%20USB%20:%20FalseCPU%20:%20Intel%20Xeon%20%20@%202.20GHzGPU%20:%20Standard%20VGA%20Graphics%20Adapter%20RAM%20:%201.99%20GBGroub%20:%20XWorm%20V5.0 #malware #malware-analysis #cybersecurity #security Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories