New XWorm V6 Variant with Anti-Analysis Features Targeting Windows Users in Active Attacks
Netskope Threat Labs has uncovered a new iteration of the XWorm malware, version 6.0, which demonstrates ongoing development by threat actors and introduces sophisticated enhancements aimed at evading detection and maintaining persistence on Windows systems.
This variant builds upon previously documented infection chains, incorporating advanced anti-analysis techniques and process protection mechanisms that make it particularly resilient in active attack scenarios.
Tracked for nearly a year, this malware continues to be deployed in memory to avoid disk-based forensics, leveraging evasion methods such as reflective code loading and in-memory modifications.
The emergence of these features signals that XWorm remains a potent tool for cybercriminals, enabling remote access, data exfiltration, and additional malware deployment while complicating defensive efforts.
Infection Chain
The infection process for XWorm 6.0 begins with a VBScript dropper, often distributed through phishing or social engineering tactics, which reconstructs an obfuscated payload at runtime using character code arrays converted via ChrW functions and executed with eval.
This dropper removes its Zone.Identifier Alternate Data Stream to bypass initial scrutiny, then downloads downloads and executes a PowerShell script saved in the temporary folder.
It establishes persistence by copying itself to update.vbs in both TEMP and APPDATA directories, adding these to the registry run key a shift from prior versions that favored scheduled tasks.
The PowerShell script implements an Antimalware Scan Interface (AMSI) bypass by patching CLR.DLL in memory, iterating through process memory regions to locate and nullify the “AmsiScanBuffer” string, effectively disabling AMSI’s ability to scan suspicious content.
Borrowed from public repositories, this technique prevents real-time inspection of in-memory payloads.
Following the bypass, the script downloads the XWorm binary from a GitHub repository using .NET’s HTTP.client, loads it via Assembly.Load, and invokes its entry point, ensuring execution remains entirely in memory.

Enhanced Features
According to the report, XWorm 6.0, compiled as Microsoft.exe, retains core functionalities like hardcoded C2 server connections via TCP sockets, with configurations decrypted from base-64 encoded strings, but introduces critical process marking to thwart termination.
If running with administrator privileges verified against the WindowsBuiltInRole.Administrator group it enables SeDebugPrivilege via EnterDebugMode, flagging itself as a system-critical process.
This forces a system crash upon forced termination, followed by automatic restart through the registry key, significantly enhancing persistence.
Anti-analysis capabilities have been bolstered: the malware self-terminates on Windows XP environments to evade legacy sandboxes, and employs IP-API queries to detect data center or hosting provider IPs, exiting if identified potentially targeting sandboxes like Any.Run.
These join existing reconnaissance features, such as collecting hostname, CPU/GPU details, and antivirus status, sent to C2 with delimiters.
New commands expand its arsenal, including plugin removal for artifact cleanup, DDoS initiation via threaded POST requests, hosts file manipulation for DNS attacks, and screenshot capture using bitmap and MemoryStream for JPEG compression.
Persistence options in the builder allow attackers to choose registry keys, tasks, or startup folders, suggesting varied future variants.
Netskope’s detections, including Gen:Variant.Jalapeno.683 and ByteCode-MSIL.Backdoor.XWorm, provide coverage, with IOCs available for threat hunting.
This evolution underscores XWorm’s adaptability, urging defenders to monitor for in-memory executions and anomalous registry modifications to mitigate its multifaceted threats.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link