XWorm Malware Returns with Ransomware & 35+ Plugins

A significant resurgence of the XWorm malware is underway, with new versions now incorporating ransomware capabilities and an extensive library of over 35 plugins. Following the original developer XCoder’s departure from the project last year, multiple threat actors have adopted and are actively distributing variants 6.0, 6.4, and 6.5 through widespread phishing campaigns. These updated versions patch a critical remote code execution vulnerability present in the final official release, version 5.6, and introduce a modular framework that supports a broad spectrum of malicious activities.

First identified in 2022, XWorm quickly gained notoriety as a highly versatile remote access trojan. Its modular design allows operators to steal sensitive information like passwords, cryptocurrency wallets, and financial data, while also enabling keystroke logging and clipboard monitoring. Beyond data theft, the malware can be repurposed to launch distributed denial-of-service (DDoS) attacks or deploy additional malicious payloads onto compromised systems. After XCoder removed their Telegram channels, which were once the primary source for updates, cybercriminals began circulating cracked copies of the malware. Its popularity was so pronounced that one threat actor even weaponized XWorm itself, using it as bait to infect less-experienced hackers with a data-stealing backdoor, resulting in 18,459 infections primarily across Russia, the United States, India, Ukraine, and Turkey.

The distribution methods for XWorm have diversified considerably. A user named XCoderTools began advertising access to the new variant on a hacker forum, offering a lifetime subscription for $500. While it remains unconfirmed if this is the original author, the advertisement claimed the latest version resolved the RCE flaw and included numerous enhancements. Since June, cybersecurity analysts at Trellix have documented a sharp increase in XWorm samples uploaded to VirusTotal, signaling its rapid adoption within the cybercriminal community. One phishing campaign delivered the malware via a malicious JavaScript file that triggered a PowerShell script, effectively bypassing Antimalware Scan Interface (AMSI) protections. Researchers noted in a September report that the XWorm infection chain now incorporates techniques that go far beyond conventional email attacks. Although emails and .LNK files remain common initial vectors, the malware also masquerades as legitimate executables, such as Discord, to appear harmless. This evolution represents a strategic shift towards blending social engineering with technical attack methods for maximum impact. Additional campaigns have been spotted using AI-themed lures and a manipulated version of the ScreenConnect remote access tool, while another attack involved delivering XWorm through shellcode hidden within a Microsoft Excel file (.XLAM).

A particularly alarming development is the integration of a ransomware module. Trellix researchers confirmed that XWorm now includes more than 35 plugins, dramatically expanding its functionality from information stealing to full-scale ransomware attacks. The Ransomware.dll plugin enables operators to encrypt victim files, change the desktop wallpaper to display ransom instructions, and specify the ransom amount, Bitcoin wallet address, and contact email. The encryption process deliberately avoids system files, concentrating instead on user data located in the %USERPROFILE% and Documents folders. It deletes the original files and appends the .ENC extension to the encrypted data. Victims find an HTML file on their desktop containing decryption instructions, complete with the Bitcoin address, contact email, and the demanded payment. Analysts discovered code similarities between XWorm’s ransomware component and the .NET-based NoCry ransomware, which first appeared in 2021. Both use an identical algorithm to generate the initialization vector and encryption key, employ AES encryption in CBC mode with 4096-byte blocks, and perform the same set of checks to evade analysis environments.

Beyond the ransomware plugin, Trellix has examined 14 other modules that significantly enhance XWorm’s capabilities. The RemoteDesktop.dll establishes a remote session for direct interaction with the victim’s machine, while a suite of modules including WindowsUpdate.dll, Stealer.dll, Recovery.dll, merged.dll, Chromium.dll, and SystemCheck.Merged.dll are dedicated to harvesting victim data. The FileManager.dll grants the operator extensive filesystem access and manipulation powers, and Shell.dll executes system commands within a hidden command prompt process. Informations.dll collects detailed system data from the infected computer, and Webcam.dll can record the victim, often used by the attacker to verify that the machine is a genuine target. Additional plugins like TCPConnections.dll, ActiveWindows.dll, and StartupManager.dll relay lists of active TCP connections, open windows, and startup programs back to the command-and-control server. The data theft modules alone empower an XWorm operator to extract login credentials from more than 35 different applications, spanning web browsers, email and messaging clients, FTP software, and cryptocurrency wallets.

Given that each plugin serves a distinct malicious purpose, Trellix advises organizations to implement a multi-layered defense strategy capable of detecting and responding to post-compromise activities. Endpoint detection and response (EDR) solutions are critical for identifying the behavioral patterns of XWorm’s various modules. Proactive security measures at the email and web gateway levels can help block the initial malware droppers used in attacks. Furthermore, robust network monitoring can detect and alert on communications with the command-and-control server, whether for downloading additional plugins or for exfiltrating stolen data.

(Source: Bleeping Computer)