Built to hide, move, and persist on the target, the XWorm RAT was deployed abusing legitimate Windows APIs to fetch and execute a downloader, along with layered anti-analysis techniques, including API hashing, âunhookedâ calls, heavy obfuscation, and encryption.
Multi-stage attack hides RAT within spreadsheets
The âOLE10Nativeâ stream, extracted from the .xlam archive in the infection email, conceals an encrypted shellcode blob. Forcepoint analysts used XORSearch and scdbg to find the shellcodeâs execution offset and emulate it, revealing API calls that downloaded a .NET executable to the victimâs Application Data folder.
âWhile analysing the .NET compiled binaries, it is good to focus on the classes/methods that use âDrawing,ââ Kumar pointed out. âThe reason for this is that a lot of .NET malware will load a bitmap or object from its resource section and reflectively load the next stage into memory.â
That .NET executable then unpacks a byte array and uses a steganography image resource to load a second-stage DLL into memory, which in turn reflectively injects a third-stage moduleâthe XWorm RAT itself. Each stage is loaded or executed in memory, minimizing on-disk artifacts and complicating detection efforts.
