Beware of Weaponized MSI Installer Masquerading as WhatsApp to Deliver XWorm RAT

A newly identified cyber threat linked to a China-based threat actor has emerged, targeting users across East and Southeast Asia with a trojanized MSI installer disguised as a legitimate WhatsApp setup file.

This deceptive campaign delivers a customized version of the XWorm Remote Access Trojan (RAT), a malicious tool designed to infiltrate systems, steal sensitive data, and maintain persistent access for attackers.

Sophisticated Attack Targets East and Southeast Asia

The attack chain employs a complex multi-stage process involving encrypted shellcode hidden in image files, PowerShell scripts for persistence, and shellcode loaders, showcasing a high level of sophistication in evading traditional security measures.

What makes this variant of XWorm particularly dangerous is its enhanced functionality, including the ability to detect Telegram installations on compromised devices and report back to attackers via Telegram-based communication channels, providing a stealthy mechanism for exfiltrating data and receiving further instructions.

The infection begins with the distribution of a malicious MSI installer that mimics the appearance of WhatsApp’s official setup file, tricking unsuspecting users into executing it.

Technical Breakdown of the Attack

Once launched, the installer deploys encrypted shellcode embedded within seemingly innocuous image files a technique that helps bypass initial detection by antivirus software.

Following this, PowerShell scripts are leveraged to establish persistence on the infected system, often by creating scheduled tasks that ensure the malware remains active even after reboots.

The final payload is a modified XWorm RAT, tailored with additional capabilities to reconnaissance the victim’s environment, specifically identifying Telegram installations for potential exploitation.

This customization underscores the targeted nature of the campaign, likely aiming at users who rely on secure messaging platforms for personal or business communications.

Symantec has identified and cataloged this threat under multiple detection signatures, including adaptive-based indicators like ACM.Ps-Rd32!g1 and ACM.Untrst-RunSys!g1, file-based detections such as Trojan.Gen.MBT and Scr.Malcode!gdn14, and machine learning-based heuristics like Heur.AdvML.A!300 and Heur.AdvML.B!200.

Network and web-based protections are also in place, with Symantec flagging bad reputation domains and application activity through WebPulse-enabled products.

Meanwhile, VMware Carbon Black products provide comprehensive coverage by blocking known, suspect, and potentially unwanted programs (PUPs) from executing, alongside delayed execution for cloud scans to maximize threat identification via reputation services.

These layered defenses are critical in mitigating the risks posed by such advanced threats.

Organizations and individuals in the targeted regions are urged to remain vigilant, avoid downloading software from unverified sources, and ensure their security solutions are updated with the latest threat intelligence to counter this insidious campaign.

By understanding the technical intricacies of this attack from the weaponized installer to the persistence mechanisms and Telegram integration users can better appreciate the importance of robust cybersecurity practices in safeguarding their digital environments against evolving threats like XWorm RAT.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates