XWorm and mediafire

[secondo]

News from ilsoftware.it, a well-known site in Italy

Code:

https://www.ilsoftware.it/malware-xworm-nuova-variante-preoccupa-gli-esperti-di-cybersecurity/

[Jazz67]

English translation, for anyone without that capacity -


Malware XWorm: new variant worries cybersecurity experts

The new variant .XWorm's NET represents a great challenge for cybersecurity experts: that's what has been discovered.

XWorm is a malware discovered for the first time in 2022 that, although relatively recent, it is evolving at a worrying rate.

The team of analysts of ANY.RUN, in fact, he came across the most recent version of this malicious agent, with the opportunity to examine it and evaluate the news related to the new variant.

A quick look at the results of the analysis revealed that the malware had initially been distributed through MediaFire, a well-known file hosting service. The malevolent agent was included in a RAR archive password protected. Thanks to an in-depth research, it was then possible to outline the main behaviors of XWorm.

In an environment sandbox, the malicious agent has demonstrated how it works by adding to the list of apps automatically started with the computer being turned on, obtaining high privileges and trying to connect to a remote server.

However, after these procedures, XWorm has taken on a very advanced and alarming behavior, which has left cybersecurity experts speechless.

XWorm: moves and counter-moves in the challenge between cybercriminals and security experts

Malware, in fact, felt it was in a virtual sandbox environment and it closed. This advanced circumvention technique allows cybercriminals to take time, making reading their malware campaign much more difficult.

At this point, however, there was a skillful person counter-move of experts.

To overcome this problem, in fact, the team has enabled the residential proxy in the sandbox settings. This functionality replaces the ’IP address the virtual machine data center with that of a ISP real, making malware believe it is running on a real user's machine.

From this point on, experts have collected important data to counter XWorm. According to what was studied on the sample, this turned out to be a variant .NET malware, with a binary file subject to obfuscation techniques that have severely limited the work of technicians.

A victory, therefore, halfway for the cybersecurity team. All this shows how insidious malware of this type is and how important it is for ordinary users to prevent contagion.

[whatsup]

Here is another source about this issue: https://thehackernews.com/2023/09/in...m-variant.html

If I'm not mistaken, the worm was spread via a specific RAR archive hosted on Mediafire, protected by a password. This means that not every RAR archive on Mediafire could be compromised.