By rssfeeds-admin .webp?ssl=1 "XWorm Malware Delivered via Fake Financial Receipts Targeting Windows Systems to Steal Logins and Sessions")
The campaign uncovered by researcher Moises Cerqueira begins with a file disguised as a Bradesco bank receipt (“Comprovante-Bradesco…”), using a double-extension trick (.pdf.js) to appear as a legitimate PDF document to unsuspecting users.
In reality, the file is a Windows Script Host (WSH) dropper inflated to approximately 1.2MB with junk data a deliberate tactic to evade static analysis scanners that skip oversized files and to artificially pass initial gateway controls.
The JavaScript payload inside is rendered unreadable through Unicode “junk injection,” embedding malicious logic within massive string variables packed with emojis, homoglyphs, and non-ASCII characters.
74% of Fortune 100 companies rely on ANY.RUN for earlier detection and faster SOC response Power your SOC now
A delimiter-based reconstruction method using a simple .replace() function strips away the noise at runtime to rebuild the PowerShell command responsible for fetching the next stage.
Instead of the noisier WScript.Shell.Run, the dropper leverages WMI (Win32_Process) to spawn PowerShell in a hidden window with ShowWindow = 0, minimizing visibility and incorporating a hardcoded Sleep(5000) delay to bypass sandbox heuristics.
Steganography and Cloudinary Abuse in Stage 2
The decoded PowerShell command reaches out to a hardcoded Cloudinary URL — a trusted image hosting service — to download what appears on the network perimeter as an ordinary JPEG file (optimized_MSI_lpsd9p.jpg).
The URL is constructed at runtime using a .Replace('#','h') function to evade static string detection, making the traffic blend with legitimate image downloads.
The downloaded image carries a hidden .NET assembly between embedded BaseStart- and -BaseEnd markers. The PowerShell script extracts this Base64-encoded blob and loads it directly into memory using [Reflection.Assembly]::Load(), ensuring Stage 3 never touches the hard drive a fileless execution technique that bypasses traditional antivirus scans.
Before invoking the assembly, the loader decodes a reversed Base64 argument string that reveals the final XWorm payload URL: voulerlivros[.]com[.]br/arquivo_20260116064120.txt.thehackernews+1
Rather than spawning a detectable cmd.exe /c schtasks /create command, the Stage 3 VB.NET DLL interacts directly with the Windows Task Scheduler via COM interfaces (TaskService, TaskDefinition) within the .NET framework.
This approach leaves no command-line artifacts, causing the scheduled task to appear in system logs without a corresponding execution command effectively blinding defenders who rely on process-spawn monitoring.
Critically, the persistence task does not launch XWorm directly; instead, it re-executes the Stage 2 PowerShell loader on each logon, creating a modular re-infection loop.
Stop multi-stage attacks before they spread Give your SOC real execution visibility Integrate now
XWorm v5.6 Deployment
The final payload, despite carrying a .txt extension, is a reversed Base64-encoded .NET executable identified as XWorm v5.6.
The malware injects itself into CasPol.exe (Code Access Security Policy Tool), a legitimate binary at C:WindowsMicrosoft.NETFrameworkv4.0.30319, abusing this Living off the Land Binary (LOLBIN) to blend with trusted system processes.
By abusing this “Living off the Land” binary (LOLBIN), the malware attempts to blend in with trusted system processes. However, in the ANY.RUN sandbox, this anomaly is immediately flagged due to the suspicious network activity originating from a trusted utility.
Static analysis via dnSpy reveals the configuration is AES-ECB encrypted with a key derived from the MD5 hash of a hardcoded mutex, a cryptographically weak implementation that allows offline decryption. The decrypted configuration exposes the full C2 infrastructure:
| Indicator | Value |
|---|---|
| C2 Domain | jholycf100[.]ddns[.]com[.]br |
| C2 IP | 152[.]249[.]17[.]145 |
| Port | 7000 |
| Mutex | V2r1vDNFXE1YLWoA |
| Protocol Splitter | <Xwormmm> |
| Payload URL | voulerlivros[.]com[.]br/arquivo_20260116064120.txt |
| Stego Loader URL | res[.]cloudinary[.]com/…/optimized_MSI_lpsd9p.jpg |
| Install Path | C:UsersPublicDownloads |
| File Hash (SHA-256) | 7befeacf0b3480fb675d0cab7767b5b9697edc9d0e05982025a06ead0054afd5 |
Once XWorm establishes control via CasPol.exe, attackers can harvest browser sessions, steal credentials, log keystrokes, and pivot into email, SaaS, and financial platforms, turning a single employee click into a full identity-driven incident.
The campaign’s low-noise delivery stack inflates Mean Time to Respond (MTTR) because the initial events — image downloads, background PowerShell, no dropped binaries appear benign while real impact surfaces later. Realistic worst-case outcomes include business email compromise (BEC), fraudulent payments, and ransomware staging.malwarebytes+2
Security teams should prioritize three monitoring controls based on this attack chain:
- Delivery stage: Alert on
.jsor double-extension files (.pdf.js) spawning WMI-invoked PowerShell processes - Network stage: Flag outbound traffic to image hosting services (Cloudinary,) where responses contain non-standard markers like
BaseStartwithin binary streams - Endpoint stage: Treat any outbound network connections originating from
CasPol.exeas high-confidence malicious activity requiring immediate investigation
Threat hunters can query threatName:”xworm” AND submissionCountry:”br” in threat intelligence platforms to surface the latest XWorm samples attributed to Brazilian infrastructure and pivot into related delivery domains.
Free malware research with ANY.RUN Start Now!
The post XWorm Malware Delivered via Fake Financial Receipts Targeting Windows Systems to Steal Logins and Sessions appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.