BATLoader Assists the Spread of XWorm

Category: Malware Campaign | Industry: Global | Source: Cyble

Unveiling a stealthy infection chain, Cyble Research and Intelligence Labs (CRIL) discovered the distribution of XWorm commodity malware, utilizing a multistage infection tactic entwined with living-off-the-land binaries (LOLBins) to drop the feature-rich malware. This attack chain also incorporates the BATLoader initial access malware to facilitate the installation of the XWorm malware. The attack chain initiates with a spam email containing a shortcut/LNK file that triggers a download command from PowerShell, fetching a remote PowerShell script. This script then downloads a zip file containing the BATLoader batch script. Upon execution, BATLoader copies the PowerShell executable from the System32 directory to the batch file's directory, renaming it with an "scr" extension for evasion.

Following a sequence of PowerShell and wscript executions, the XWorm malware is successfully dropped and installed on the targeted system. Cyble's analysis revealed a vast array of capabilities for XWorm, enabling cybercriminals of different expertise levels to leverage the malware for a wide range of objectives. These capabilities include "stealing sensitive data, executing Distributed Denial of Service (DDoS) attacks, acting as a clipper to alter cryptocurrency addresses, deploying ransomware, and downloading additional malware into the compromised system, etc."