New XWorm V6 Variant’s With Anti-Analysis Capabilities Attacking Windows Users in The Wild

A sophisticated new variant of the XWorm malware has emerged in the wild, introducing advanced anti-analysis capabilities and enhanced evasion techniques that pose significant threats to Windows users worldwide.

The latest iteration, designated XWorm V6.0, represents a substantial evolution from previous versions, incorporating multiple layers of protection against security analysis and detection systems.

The malware initiates its attack through a carefully crafted VBScript file, typically delivered via social engineering campaigns targeting unsuspecting users.

This initial dropper employs sophisticated obfuscation techniques, embedding and reconstructing malicious payloads at runtime through character code arrays that are processed in reverse order using VBScript’s ChrW function.

The reconstructed script systematically removes security identifiers, downloads additional payloads, and establishes multiple persistence mechanisms across the infected system.

Netskope analysts identified this new variant after nearly a year of tracking XWorm’s evolution, noting significant enhancements in both its stealth capabilities and operational sophistication.

The researchers discovered that XWorm V6.0 maintains its memory-only execution model while introducing critical process protection and advanced anti-analysis features designed to frustrate security researchers and automated detection systems.

The malware demonstrates remarkable persistence through a dual-location strategy, copying itself as “update.vbs” to both temporary and application data folders before modifying registry run keys to ensure automatic execution upon system startup.

This approach differs markedly from earlier versions that relied primarily on scheduled tasks, indicating the malware authors’ continuous refinement of their persistence mechanisms.

Advanced AMSI Bypass Through Memory Manipulation

One of XWorm V6.0’s most concerning innovations lies in its sophisticated Antimalware Scan Interface (AMSI) bypass capability, implemented through direct memory manipulation of the Common Language Runtime library.

The malware’s PowerShell component, saved as “wolf-8372-4236-2751-hunter-978-ghost-9314.ps1,” systematically searches through all memory regions of the current process to locate CLR.DLL instances.

The bypass mechanism operates by identifying the “AmsiScanBuffer” string within CLR.DLL memory space and replacing it with null bytes, effectively neutering the system’s ability to submit suspicious content for AMSI inspection.

This technique demonstrates the malware’s sophisticated understanding of Windows security architecture and its ability to operate below traditional detection thresholds.

$signature = [System.Text.Encoding]::UTF8.GetBytes($a + $b + $c + $d)
$pathbuilder = New-Object System.Text.StringBuilder $max_path
if ([Win32.Kernel32]::GetMappedFileName($hprocess, $region.BaseAddress, $pathbuilder, $max_path) -gt 0) {
    $path = $pathbuilder.ToString()
    if ($path.EndsWith("clr.dll", [StringComparison]::InvariantCultureIgnoreCase)) {
        // Memory patching implementation
    }
}

The malware further enhances its survivability by marking itself as a critical system process when administrator privileges are available, making termination extremely difficult without causing system instability.

This protection mechanism, combined with its registry-based persistence and memory-only execution, creates a formidable challenge for both automated security tools and manual incident response efforts, highlighting the continued evolution of modern malware threats.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches