Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies

Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies

Published on

Published on

Published on

Nov 28, 2024

Nov 28, 2024

Nov 28, 2024

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
TABLE OF CONTENTS

Open directories, often left exposed due to poor operational security, have become a valuable source of intelligence on threat actor behavior. Recently, XWorm, a well-reported remote access trojan (RAT), has been identified in these directories-disguised as common software like web browsers, security tools, and file transfer apps, aiming to trick unsuspecting users.

In this blog post, we will:

  • Examine Open Directories as Intelligence Sources: Analyze how threat actors misuse open directories to deliver XWorm, providing valuable insights into their targeting and operational behavior.
  • Uncover Malware Disguises and Tactics: Detail how XWorm is disguised as popular software, exposing the deceptive techniques used to trick potential victims.

Finding XWorm in the Wild With Hunt

AttackCapture™ in Hunt offers a comprehensive list of open directories, paired with a versatile tagging system that simplifies determining whether a server is malicious. Users can filter across 50+ tags, spanning malware families like XWorm, MITRE ATT&CK techniques, and even legitimate tools abused by threat actors. These tags are derived from dynamic analysis performed using Hatching Triage, providing high-confidence categorization based on observed behaviors and attributes of the files.

In this post, we'll utilize the XWorm tag to identify new and historical RAT instances hosted in open directories. This approach helps paint a clearer picture of the distribution strategies used over time, providing valuable insight into attacker behavior.

"XWorm" tag search results in AttackCapture™
Figure 1: "XWorm" tag search results in AttackCapture™ (Hunt).

These search results serve as a starting point for further analysis. Each entry can yield meaningful intelligence-identifying recurring infrastructure, correlating shared file names, or tracking shifts in adversary tactics.

Next, we'll examine specific examples of how XWorm is delivered through open directories. These recent findings provide a snapshot of attacker tactics, showing how XWorm is disguised as popular software to deceive users seeking legitimate downloads.

Exposing XWorm's Disguises

Case Example: 103.230.121[.]82 - SecurityHealthService.exe

Our first server, 103.230.121[.]82, hosted in Thailand on the Bangmod Enterprise Co., Ltd. network, contained only a single file: SecurityHealthService.exe.

Directory contents of 103.230.121[.]82
Figure 2: Directory contents of 103.230.121[.]82 (Hunt).

Named after a legitimate Windows component used to manage system health settings, such as antivirus and firewall status, the file was likely intended to blend in with typical operating system software and avoid suspicion.

Reviewing the IP address overview revealed that this server shared SSH keys (Fingerprint: 4b135301d2bcef2a32ae5f3e035b7df1e76d4b288f7cda69784d95ee860e3ad7) with over 100 other servers, many of which were on the same ASN. While this does not necessarily indicate that all these IPs are malicious, it represents an interesting pattern that warrants further investigation.

Associations page showing servers sharing the same SSH key
Figure 3: Associations page showing servers sharing the same SSH key (Hunt).

Case Example: 158.247.200[.]45:80 &:443 - chrome.exe

Hosted in South Korea and part of The Constant Company, LLC network, 158.247.200[.]45 reveals signs that the actor may still be in a testing phase. This assumption is primarily based on file names in the directory, such as test.exe and test2.bat, which suggest ongoing experimentation.

Screenshot of files on 158.247.200[.]45
Figure 4: Screenshot of files on 158.247.200[.]45 (Hunt).

The directory also contains chrome.exe and chrome.bat, which are likely intended to mimic the Google Chrome browser. Further analysis of chrome.exe in VirusTotal shows that the file has also been uploaded as svchost.exe, another well-known Windows process often used to blend in.

Snippet of VirusTotal Details showing the different filenames for the XWorm sample
Figure 5: Snippet of VirusTotal Details showing the different filenames for the XWorm sample (VirusTotal).

Many files discovered through AttackCapture™ can be inspected directly without downloading. For example, chrome.bat, shown in Figure 6, appears designed to disable Windows Defender-likely in preparation for executing chrome.exe. Notably, the script contains comments in the Korean language, offering further evidence of the possible origin of the threat actor.

Contents of chrome.bat, including Korean language comments.
Figure 6: Contents of chrome.bat, including Korean language comments.

Case Example: 216.173.64[.]63:4646 - pdf.bat

While AttackCapture™ includes over 300 XWorm samples available for download, we've chosen to focus on a select few that provide unique insights into attacker behavior. Users are encouraged to explore the entire collection in Hunt for a deeper dive.

Notable filenames among the samples include uidiscord.exe, JavaX-Helper.exe, and Updater.exe, each reflecting a common theme of disguising malicious payloads as trusted software.

The final server of interest, 216.173.64[.]63, is hosted by Evoxt Enterprise in the United States. This IP recently drew the attention of researcher Karol Paciorek, who reported its involvement in a scam promoting fake gift cards. Upon closer inspection, these gift cards were merely shortcuts that downloaded a batch script concealing XWorm. 

The malware then leveraged the compromised system to exfiltrate data directly to a Telegram account.

Snippet of the pdf.bat file from the XWorm associated open directory
Figure 7: Snippet of the pdf.bat file from the XWorm associated open directory (Hunt).

Conclusion

While this post focused on XWorm, examining open directories provides broader insights into how attackers stage and distribute malware. These directories, often unintentionally exposed, reveal the tactics used to disguise malicious files as legitimate software to deceive users. Understanding these tactics helps defenders to better detect, mitigate, and respond to such threats.

Defense Recommendations:

  • Monitor for External Open Directories: Use internet intelligence tools to monitor for open directories that might host malicious files targeting your organization or its supply chain.
  • File Reputation and Whitelisting: Employ reputation services like VirusTotal and implement application allowlisting to prevent unverified or suspicious executables from running.
  • Strengthen Endpoint Defense: Ensure Endpoint Detection and Response (EDR) solutions are in place and tuned to detect typical behaviors of malicious scripts, such as disabling security features or using misleading filenames.

Network Observables

IP AddressHosting CountryASNXWorm FilenameNotes
158.247.200[.]45:443KRThe Constant Company, LLCchrome.exeLikely meant to dupe users looking to download the Google Chrome browser.
216.173.64[.]63:4646CNEvoxt EnterpriseUSPart of a previous phishing campaign delivering gift cards which in reality were XWorm. 
103.230.121[.]82THBangmod Enterprise Co., Ltd.SecurityHealthService.exeSpoofs the legit Windows process responsible for handling notifications about the security health of a system.
TABLE OF CONTENTS

Open directories, often left exposed due to poor operational security, have become a valuable source of intelligence on threat actor behavior. Recently, XWorm, a well-reported remote access trojan (RAT), has been identified in these directories-disguised as common software like web browsers, security tools, and file transfer apps, aiming to trick unsuspecting users.

In this blog post, we will:

  • Examine Open Directories as Intelligence Sources: Analyze how threat actors misuse open directories to deliver XWorm, providing valuable insights into their targeting and operational behavior.
  • Uncover Malware Disguises and Tactics: Detail how XWorm is disguised as popular software, exposing the deceptive techniques used to trick potential victims.

Finding XWorm in the Wild With Hunt

AttackCapture™ in Hunt offers a comprehensive list of open directories, paired with a versatile tagging system that simplifies determining whether a server is malicious. Users can filter across 50+ tags, spanning malware families like XWorm, MITRE ATT&CK techniques, and even legitimate tools abused by threat actors. These tags are derived from dynamic analysis performed using Hatching Triage, providing high-confidence categorization based on observed behaviors and attributes of the files.

In this post, we'll utilize the XWorm tag to identify new and historical RAT instances hosted in open directories. This approach helps paint a clearer picture of the distribution strategies used over time, providing valuable insight into attacker behavior.

"XWorm" tag search results in AttackCapture™
Figure 1: "XWorm" tag search results in AttackCapture™ (Hunt).

These search results serve as a starting point for further analysis. Each entry can yield meaningful intelligence-identifying recurring infrastructure, correlating shared file names, or tracking shifts in adversary tactics.

Next, we'll examine specific examples of how XWorm is delivered through open directories. These recent findings provide a snapshot of attacker tactics, showing how XWorm is disguised as popular software to deceive users seeking legitimate downloads.

Exposing XWorm's Disguises

Case Example: 103.230.121[.]82 - SecurityHealthService.exe

Our first server, 103.230.121[.]82, hosted in Thailand on the Bangmod Enterprise Co., Ltd. network, contained only a single file: SecurityHealthService.exe.

Directory contents of 103.230.121[.]82
Figure 2: Directory contents of 103.230.121[.]82 (Hunt).

Named after a legitimate Windows component used to manage system health settings, such as antivirus and firewall status, the file was likely intended to blend in with typical operating system software and avoid suspicion.

Reviewing the IP address overview revealed that this server shared SSH keys (Fingerprint: 4b135301d2bcef2a32ae5f3e035b7df1e76d4b288f7cda69784d95ee860e3ad7) with over 100 other servers, many of which were on the same ASN. While this does not necessarily indicate that all these IPs are malicious, it represents an interesting pattern that warrants further investigation.

Associations page showing servers sharing the same SSH key
Figure 3: Associations page showing servers sharing the same SSH key (Hunt).

Case Example: 158.247.200[.]45:80 &:443 - chrome.exe

Hosted in South Korea and part of The Constant Company, LLC network, 158.247.200[.]45 reveals signs that the actor may still be in a testing phase. This assumption is primarily based on file names in the directory, such as test.exe and test2.bat, which suggest ongoing experimentation.

Screenshot of files on 158.247.200[.]45
Figure 4: Screenshot of files on 158.247.200[.]45 (Hunt).

The directory also contains chrome.exe and chrome.bat, which are likely intended to mimic the Google Chrome browser. Further analysis of chrome.exe in VirusTotal shows that the file has also been uploaded as svchost.exe, another well-known Windows process often used to blend in.

Snippet of VirusTotal Details showing the different filenames for the XWorm sample
Figure 5: Snippet of VirusTotal Details showing the different filenames for the XWorm sample (VirusTotal).

Many files discovered through AttackCapture™ can be inspected directly without downloading. For example, chrome.bat, shown in Figure 6, appears designed to disable Windows Defender-likely in preparation for executing chrome.exe. Notably, the script contains comments in the Korean language, offering further evidence of the possible origin of the threat actor.

Contents of chrome.bat, including Korean language comments.
Figure 6: Contents of chrome.bat, including Korean language comments.

Case Example: 216.173.64[.]63:4646 - pdf.bat

While AttackCapture™ includes over 300 XWorm samples available for download, we've chosen to focus on a select few that provide unique insights into attacker behavior. Users are encouraged to explore the entire collection in Hunt for a deeper dive.

Notable filenames among the samples include uidiscord.exe, JavaX-Helper.exe, and Updater.exe, each reflecting a common theme of disguising malicious payloads as trusted software.

The final server of interest, 216.173.64[.]63, is hosted by Evoxt Enterprise in the United States. This IP recently drew the attention of researcher Karol Paciorek, who reported its involvement in a scam promoting fake gift cards. Upon closer inspection, these gift cards were merely shortcuts that downloaded a batch script concealing XWorm. 

The malware then leveraged the compromised system to exfiltrate data directly to a Telegram account.

Snippet of the pdf.bat file from the XWorm associated open directory
Figure 7: Snippet of the pdf.bat file from the XWorm associated open directory (Hunt).

Conclusion

While this post focused on XWorm, examining open directories provides broader insights into how attackers stage and distribute malware. These directories, often unintentionally exposed, reveal the tactics used to disguise malicious files as legitimate software to deceive users. Understanding these tactics helps defenders to better detect, mitigate, and respond to such threats.

Defense Recommendations:

  • Monitor for External Open Directories: Use internet intelligence tools to monitor for open directories that might host malicious files targeting your organization or its supply chain.
  • File Reputation and Whitelisting: Employ reputation services like VirusTotal and implement application allowlisting to prevent unverified or suspicious executables from running.
  • Strengthen Endpoint Defense: Ensure Endpoint Detection and Response (EDR) solutions are in place and tuned to detect typical behaviors of malicious scripts, such as disabling security features or using misleading filenames.

Network Observables

IP AddressHosting CountryASNXWorm FilenameNotes
158.247.200[.]45:443KRThe Constant Company, LLCchrome.exeLikely meant to dupe users looking to download the Google Chrome browser.
216.173.64[.]63:4646CNEvoxt EnterpriseUSPart of a previous phishing campaign delivering gift cards which in reality were XWorm. 
103.230.121[.]82THBangmod Enterprise Co., Ltd.SecurityHealthService.exeSpoofs the legit Windows process responsible for handling notifications about the security health of a system.

Related Posts:

Introducing Code Search on AttackCapture: Uncover Exploit Code, Reverse Shells, C2 Configs, and More
Oct 15, 2024

Read how CodeSearch helps security professionals to identify exploit code, reverse shells, and C2 configs across open directories, enhancing threat detection.

Introducing Code Search on AttackCapture: Uncover Exploit Code, Reverse Shells, C2 Configs, and More
Oct 15, 2024

Read how CodeSearch helps security professionals to identify exploit code, reverse shells, and C2 configs across open directories, enhancing threat detection.

Inside a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Templates
Oct 8, 2024

Explore our in-depth analysis of a cybercriminal’s server, revealing DDoS tools, SpyNote spyware, phishing sites, and ransomware tactics.

Inside a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Templates
Oct 8, 2024

Explore our in-depth analysis of a cybercriminal’s server, revealing DDoS tools, SpyNote spyware, phishing sites, and ransomware tactics.

Open Directories Expose Publicly Available Tools Targeting Asian Organizations
Jun 18, 2024

The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...

Open Directories Expose Publicly Available Tools Targeting Asian Organizations
Jun 18, 2024

The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...

Introducing Code Search on AttackCapture: Uncover Exploit Code, Reverse Shells, C2 Configs, and More
Oct 15, 2024

Read how CodeSearch helps security professionals to identify exploit code, reverse shells, and C2 configs across open directories, enhancing threat detection.

Inside a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Templates
Oct 8, 2024

Explore our in-depth analysis of a cybercriminal’s server, revealing DDoS tools, SpyNote spyware, phishing sites, and ransomware tactics.