{"id":5100,"date":"2025-09-29T11:21:48","date_gmt":"2025-09-29T11:21:48","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5100"},"modified":"2025-09-29T11:21:48","modified_gmt":"2025-09-29T11:21:48","slug":"xworm-campaign-shows-a-shift-toward-fileless-malware-and-in-memory-evasion-tactics","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5100","title":{"rendered":"XWorm campaign shows a shift toward fileless malware and in-memory evasion tactics"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>In a newly disclosed multi-stage threat campaign, attackers were seen skipping disk and leaning on in-memory tricks to deliver the <a href=\"https:\/\/www.csoonline.com\/article\/3819176\/top-5-ways-attackers-use-generative-ai-to-exploit-your-systems.html?utm=hybrid_search#:~:text=malicious%20HTML%20documents.-,The%20XWorm%20attack,-%2C%20initiated%20by%20HTML\" target=\"_blank\" rel=\"noopener\">XWorm<\/a> remote access trojan (RAT).<\/p>\n<p>According to Forcepoint Labs\u2019 findings, the campaign uses an encrypted shellcode that executes a .NET dropper and reflectively loads multiple in-memory DLLs. The initial lure was an Office .xlam attachment that embeds a native object linking and embedding (OLE) stream, unpacking the malicious code.<\/p>\n<p>\u201cThe campaign is delivered by phishing email, using a fake invoice as a lure,\u201d Forcepoint security researcher Prashant Kumar said in a blog post. \u201cThe malicious document (.xlam attachment) has an embedded \u2018oleObject1.bin\u2019 file, which hides embedded shellcode.\u201d<\/p>\n<p>Built to hide, move, and persist on the target, the XWorm RAT was deployed abusing legitimate Windows APIs to fetch and execute a downloader, along with layered anti-analysis techniques, including API hashing, \u201cunhooked\u201d calls, heavy obfuscation, and encryption.<\/p>\n<h2 class=\"wp-block-heading\">Multi-stage attack hides RAT within spreadsheets<\/h2>\n<p>The \u201cOLE10Native\u201d stream, extracted from the .xlam archive in the infection email, conceals an encrypted shellcode blob. Forcepoint analysts used <a href=\"https:\/\/isc.sans.edu\/diary\/XORsearch+Searching+With+Regexes\/31834\" target=\"_blank\" rel=\"noopener\">XORSearch<\/a> and scdbg to find the shellcode\u2019s execution offset and emulate it, revealing API calls that downloaded a .NET executable to the victim\u2019s Application Data folder.<\/p>\n<p>\u201cWhile analysing the .NET compiled binaries, it is good to focus on the classes\/methods that use \u2018Drawing,\u2019\u201d Kumar<a href=\"https:\/\/www.forcepoint.com\/blog\/x-labs\/xworm-rat-shellcode-multi-stage-analysis\" target=\"_blank\" rel=\"noopener\"> pointed out<\/a>. \u201cThe reason for this is that a lot of .NET malware will load a bitmap or object from its resource section and reflectively load the next stage into memory.\u201d<\/p>\n<p>That .NET executable then unpacks a byte array and uses a steganography image resource to load a second-stage DLL into memory, which in turn reflectively injects a third-stage module\u2013the XWorm RAT itself. Each stage is loaded or executed in memory, minimizing on-disk artifacts and complicating detection efforts.<\/p>\n<p>The XWorm findings fit into a <a href=\"https:\/\/www.csoonline.com\/article\/643356\/fileless-attacks-surge-as-cybercriminals-evade-cloud-security-defenses.html\">broader shift<\/a> in cyberattack strategies, where threat actors are increasingly favoring fileless delivery methods to bypass traditional detection. Recently, a campaign was reported using PowerShell-based loaders to <a href=\"https:\/\/www.csoonline.com\/article\/3986671\/stealth-rat-uses-a-powershell-loader-for-fileless-attacks.html\" target=\"_blank\" rel=\"noopener\">deploy Remcos RAT<\/a> entirely in memory.<\/p>\n<h2 class=\"wp-block-heading\">Dodging sandboxes and scanners<\/h2>\n<p>The attackers relied on well-known evasion techniques throughout the chain, including API hashing to hide intent, API calls that bypass user-mode hooks installed by security software, and multiple encryption layers inside .NET DLLs.<\/p>\n<p>\u201cThe DLL file uses several encryption techniques for analysis to be difficult, such as RSACryptor, Virtualization, Fake.cctor, and many more,\u201d Kumar noted.<\/p>\n<p>Forcepoint analysis revealed that malware samples made API calls like \u201cUrlDownloadToFile\u201d and \u201cLoadLibraryW\u201d to execute code directly from memory in an attempt to beat conventional scanners. Additionally, the analysis flagged use of resource-embedded steganographic payloads, a common .NET trick to smuggle bytes into a benign-looking binary.<\/p>\n<p>Recommended controls for protecting against XWorm-like campaigns include monitoring for unusual Office attachment types (especially .xlam with OLE native streams), inspecting processes that invoke UrlMon\/UrlDownloadToFile followed by in-memory leads, and deploying runtime memory-scanning and EDR rules that detect reflective DLL injection and \u201cunhooked\u201d invocation patterns. The blog included a list of indicators of compromise (IoCs) to set detection for. Earlier this month, researchers reported fileless malware picking up an open-source upgrade in the form of <a href=\"https:\/\/www.csoonline.com\/article\/4056389\/stealthy-asyncrat-flees-the-disk-for-a-fileless-infection.html\">AsyncRAT<\/a> that ran PowerShell commands to fetch and assemble .NET payloads in memory.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>In a newly disclosed multi-stage threat campaign, attackers were seen skipping disk and leaning on in-memory tricks to deliver the XWorm remote access trojan (RAT). According to Forcepoint Labs\u2019 findings, the campaign uses an encrypted shellcode that executes a .NET dropper and reflectively loads multiple in-memory DLLs. The initial lure was an Office .xlam attachment [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5101,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5100","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5100"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5100"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5100\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5101"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5100"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5100"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5100"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}