Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Published on
Published on
Published on
Nov 28, 2024
Nov 28, 2024
Nov 28, 2024
Open directories, often left exposed due to poor operational security, have become a valuable source of intelligence on threat actor behavior. Recently, XWorm, a well-reported remote access trojan (RAT), has been identified in these directories-disguised as common software like web browsers, security tools, and file transfer apps, aiming to trick unsuspecting users.
In this blog post, we will:
- Examine Open Directories as Intelligence Sources: Analyze how threat actors misuse open directories to deliver XWorm, providing valuable insights into their targeting and operational behavior.
- Uncover Malware Disguises and Tactics: Detail how XWorm is disguised as popular software, exposing the deceptive techniques used to trick potential victims.
Finding XWorm in the Wild With Hunt
AttackCapture™ in Hunt offers a comprehensive list of open directories, paired with a versatile tagging system that simplifies determining whether a server is malicious. Users can filter across 50+ tags, spanning malware families like XWorm, MITRE ATT&CK techniques, and even legitimate tools abused by threat actors. These tags are derived from dynamic analysis performed using Hatching Triage, providing high-confidence categorization based on observed behaviors and attributes of the files.
In this post, we'll utilize the XWorm tag to identify new and historical RAT instances hosted in open directories. This approach helps paint a clearer picture of the distribution strategies used over time, providing valuable insight into attacker behavior.
These search results serve as a starting point for further analysis. Each entry can yield meaningful intelligence-identifying recurring infrastructure, correlating shared file names, or tracking shifts in adversary tactics.
Next, we'll examine specific examples of how XWorm is delivered through open directories. These recent findings provide a snapshot of attacker tactics, showing how XWorm is disguised as popular software to deceive users seeking legitimate downloads.
Exposing XWorm's Disguises
Case Example: 103.230.121[.]82 - SecurityHealthService.exe
Our first server, 103.230.121[.]82, hosted in Thailand on the Bangmod Enterprise Co., Ltd. network, contained only a single file: SecurityHealthService.exe.
Named after a legitimate Windows component used to manage system health settings, such as antivirus and firewall status, the file was likely intended to blend in with typical operating system software and avoid suspicion.
Reviewing the IP address overview revealed that this server shared SSH keys (Fingerprint: 4b135301d2bcef2a32ae5f3e035b7df1e76d4b288f7cda69784d95ee860e3ad7) with over 100 other servers, many of which were on the same ASN. While this does not necessarily indicate that all these IPs are malicious, it represents an interesting pattern that warrants further investigation.
Case Example: 158.247.200[.]45:80 &:443 - chrome.exe
Hosted in South Korea and part of The Constant Company, LLC network, 158.247.200[.]45 reveals signs that the actor may still be in a testing phase. This assumption is primarily based on file names in the directory, such as test.exe and test2.bat, which suggest ongoing experimentation.
The directory also contains chrome.exe and chrome.bat, which are likely intended to mimic the Google Chrome browser. Further analysis of chrome.exe in VirusTotal shows that the file has also been uploaded as svchost.exe, another well-known Windows process often used to blend in.
Many files discovered through AttackCapture™ can be inspected directly without downloading. For example, chrome.bat, shown in Figure 6, appears designed to disable Windows Defender-likely in preparation for executing chrome.exe. Notably, the script contains comments in the Korean language, offering further evidence of the possible origin of the threat actor.
Case Example: 216.173.64[.]63:4646 - pdf.bat
While AttackCapture™ includes over 300 XWorm samples available for download, we've chosen to focus on a select few that provide unique insights into attacker behavior. Users are encouraged to explore the entire collection in Hunt for a deeper dive.
Notable filenames among the samples include uidiscord.exe, JavaX-Helper.exe, and Updater.exe, each reflecting a common theme of disguising malicious payloads as trusted software.
The final server of interest, 216.173.64[.]63, is hosted by Evoxt Enterprise in the United States. This IP recently drew the attention of researcher Karol Paciorek, who reported its involvement in a scam promoting fake gift cards. Upon closer inspection, these gift cards were merely shortcuts that downloaded a batch script concealing XWorm.
The malware then leveraged the compromised system to exfiltrate data directly to a Telegram account.
Conclusion
While this post focused on XWorm, examining open directories provides broader insights into how attackers stage and distribute malware. These directories, often unintentionally exposed, reveal the tactics used to disguise malicious files as legitimate software to deceive users. Understanding these tactics helps defenders to better detect, mitigate, and respond to such threats.
Defense Recommendations:
- Monitor for External Open Directories: Use internet intelligence tools to monitor for open directories that might host malicious files targeting your organization or its supply chain.
- File Reputation and Whitelisting: Employ reputation services like VirusTotal and implement application allowlisting to prevent unverified or suspicious executables from running.
- Strengthen Endpoint Defense: Ensure Endpoint Detection and Response (EDR) solutions are in place and tuned to detect typical behaviors of malicious scripts, such as disabling security features or using misleading filenames.
Network Observables
IP Address | Hosting Country | ASN | XWorm Filename | Notes |
---|---|---|---|---|
158.247.200[.]45:443 | KR | The Constant Company, LLC | chrome.exe | Likely meant to dupe users looking to download the Google Chrome browser. |
216.173.64[.]63:4646 | CN | Evoxt Enterprise | US | Part of a previous phishing campaign delivering gift cards which in reality were XWorm. |
103.230.121[.]82 | TH | Bangmod Enterprise Co., Ltd. | SecurityHealthService.exe | Spoofs the legit Windows process responsible for handling notifications about the security health of a system. |
Open directories, often left exposed due to poor operational security, have become a valuable source of intelligence on threat actor behavior. Recently, XWorm, a well-reported remote access trojan (RAT), has been identified in these directories-disguised as common software like web browsers, security tools, and file transfer apps, aiming to trick unsuspecting users.
In this blog post, we will:
- Examine Open Directories as Intelligence Sources: Analyze how threat actors misuse open directories to deliver XWorm, providing valuable insights into their targeting and operational behavior.
- Uncover Malware Disguises and Tactics: Detail how XWorm is disguised as popular software, exposing the deceptive techniques used to trick potential victims.
Finding XWorm in the Wild With Hunt
AttackCapture™ in Hunt offers a comprehensive list of open directories, paired with a versatile tagging system that simplifies determining whether a server is malicious. Users can filter across 50+ tags, spanning malware families like XWorm, MITRE ATT&CK techniques, and even legitimate tools abused by threat actors. These tags are derived from dynamic analysis performed using Hatching Triage, providing high-confidence categorization based on observed behaviors and attributes of the files.
In this post, we'll utilize the XWorm tag to identify new and historical RAT instances hosted in open directories. This approach helps paint a clearer picture of the distribution strategies used over time, providing valuable insight into attacker behavior.
These search results serve as a starting point for further analysis. Each entry can yield meaningful intelligence-identifying recurring infrastructure, correlating shared file names, or tracking shifts in adversary tactics.
Next, we'll examine specific examples of how XWorm is delivered through open directories. These recent findings provide a snapshot of attacker tactics, showing how XWorm is disguised as popular software to deceive users seeking legitimate downloads.
Exposing XWorm's Disguises
Case Example: 103.230.121[.]82 - SecurityHealthService.exe
Our first server, 103.230.121[.]82, hosted in Thailand on the Bangmod Enterprise Co., Ltd. network, contained only a single file: SecurityHealthService.exe.
Named after a legitimate Windows component used to manage system health settings, such as antivirus and firewall status, the file was likely intended to blend in with typical operating system software and avoid suspicion.
Reviewing the IP address overview revealed that this server shared SSH keys (Fingerprint: 4b135301d2bcef2a32ae5f3e035b7df1e76d4b288f7cda69784d95ee860e3ad7) with over 100 other servers, many of which were on the same ASN. While this does not necessarily indicate that all these IPs are malicious, it represents an interesting pattern that warrants further investigation.
Case Example: 158.247.200[.]45:80 &:443 - chrome.exe
Hosted in South Korea and part of The Constant Company, LLC network, 158.247.200[.]45 reveals signs that the actor may still be in a testing phase. This assumption is primarily based on file names in the directory, such as test.exe and test2.bat, which suggest ongoing experimentation.
The directory also contains chrome.exe and chrome.bat, which are likely intended to mimic the Google Chrome browser. Further analysis of chrome.exe in VirusTotal shows that the file has also been uploaded as svchost.exe, another well-known Windows process often used to blend in.
Many files discovered through AttackCapture™ can be inspected directly without downloading. For example, chrome.bat, shown in Figure 6, appears designed to disable Windows Defender-likely in preparation for executing chrome.exe. Notably, the script contains comments in the Korean language, offering further evidence of the possible origin of the threat actor.
Case Example: 216.173.64[.]63:4646 - pdf.bat
While AttackCapture™ includes over 300 XWorm samples available for download, we've chosen to focus on a select few that provide unique insights into attacker behavior. Users are encouraged to explore the entire collection in Hunt for a deeper dive.
Notable filenames among the samples include uidiscord.exe, JavaX-Helper.exe, and Updater.exe, each reflecting a common theme of disguising malicious payloads as trusted software.
The final server of interest, 216.173.64[.]63, is hosted by Evoxt Enterprise in the United States. This IP recently drew the attention of researcher Karol Paciorek, who reported its involvement in a scam promoting fake gift cards. Upon closer inspection, these gift cards were merely shortcuts that downloaded a batch script concealing XWorm.
The malware then leveraged the compromised system to exfiltrate data directly to a Telegram account.
Conclusion
While this post focused on XWorm, examining open directories provides broader insights into how attackers stage and distribute malware. These directories, often unintentionally exposed, reveal the tactics used to disguise malicious files as legitimate software to deceive users. Understanding these tactics helps defenders to better detect, mitigate, and respond to such threats.
Defense Recommendations:
- Monitor for External Open Directories: Use internet intelligence tools to monitor for open directories that might host malicious files targeting your organization or its supply chain.
- File Reputation and Whitelisting: Employ reputation services like VirusTotal and implement application allowlisting to prevent unverified or suspicious executables from running.
- Strengthen Endpoint Defense: Ensure Endpoint Detection and Response (EDR) solutions are in place and tuned to detect typical behaviors of malicious scripts, such as disabling security features or using misleading filenames.
Network Observables
IP Address | Hosting Country | ASN | XWorm Filename | Notes |
---|---|---|---|---|
158.247.200[.]45:443 | KR | The Constant Company, LLC | chrome.exe | Likely meant to dupe users looking to download the Google Chrome browser. |
216.173.64[.]63:4646 | CN | Evoxt Enterprise | US | Part of a previous phishing campaign delivering gift cards which in reality were XWorm. |
103.230.121[.]82 | TH | Bangmod Enterprise Co., Ltd. | SecurityHealthService.exe | Spoofs the legit Windows process responsible for handling notifications about the security health of a system. |
Related Posts:
Introducing Code Search on AttackCapture: Uncover Exploit Code, Reverse Shells, C2 Configs, and More
Read how CodeSearch helps security professionals to identify exploit code, reverse shells, and C2 configs across open directories, enhancing threat detection.
Introducing Code Search on AttackCapture: Uncover Exploit Code, Reverse Shells, C2 Configs, and More
Read how CodeSearch helps security professionals to identify exploit code, reverse shells, and C2 configs across open directories, enhancing threat detection.
Introducing Code Search on AttackCapture: Uncover Exploit Code, Reverse Shells, C2 Configs, and More
Read how CodeSearch helps security professionals to identify exploit code, reverse shells, and C2 configs across open directories, enhancing threat detection.
Hunt Intelligence, Inc.
Hunt Intelligence, Inc.
Hunt Intelligence, Inc.