This morning, the researchers from Forcepoint X-Labs have released a new blog post detailing a new way attackers are using shellcode as an enabling technology for modern remote access trojan campaigns — and an old technique with a new infection. The example in the post injects the XWorm RAT.
Campaign Highlights:
The campaign is delivered by phishing email, using a fake invoice as a lure. Sequence:
- The email has an Office file (.xlam) attachment, which, on downloading and opening, shows a blank or corrupted Office file.
- This malicious document has an embedded oleObject1.bin file, which hides embedded shellcode.
- The shellcode, when executed, initiates connection to retrieve and deploy secondary payload.
- The second payload, which was an executable, was found to be a .NET binary that reflectively loaded into the memory.
- The second stage .DLL file from memory uses heavily obfuscated packing and encryption techniques.
- The next and final step performs a process injection in its own main executable file, maintaining persistence and exfiltrating data to its Command & Control servers.
- The C2s where data was exfiltrated was found to be related to XWorm family.
Authored by Prashant Kumar, senior research at Forcepoint, the full post with detailed illustrated example with images can be found at: https://www.forcepoint.com/blog/x-labs/xworm-rat-shellcode-multi-stage-analysis
Like this:
Like Loading...
Related
This entry was posted on September 26, 2025 at 3:08 pm and is filed under Commentary with tags Forcepoint X-Labs. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
NEW FROM FORCEPOINT X-LABS: XWorm RAT Delivered via Shellcode
This morning, the researchers from Forcepoint X-Labs have released a new blog post detailing a new way attackers are using shellcode as an enabling technology for modern remote access trojan campaigns — and an old technique with a new infection. The example in the post injects the XWorm RAT.
Campaign Highlights:
The campaign is delivered by phishing email, using a fake invoice as a lure. Sequence:
Authored by Prashant Kumar, senior research at Forcepoint, the full post with detailed illustrated example with images can be found at: https://www.forcepoint.com/blog/x-labs/xworm-rat-shellcode-multi-stage-analysis
Share this:
Like this:
Related
This entry was posted on September 26, 2025 at 3:08 pm and is filed under Commentary with tags Forcepoint X-Labs. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.