Malware Brief: XWorm, TrickMo, and Remcos

With Halloween approaching, I figured it would be a good idea to dedicate this Malware Brief post to threats that transform themselves or have undergone significant changes. Because that’s sort of like putting on a costume, get it? Okay, it’s not the best thematic tie-in ever, but it’s what I got, don’t @ me.

Anyway, we’re going to have a look at three threats. First is XWorm, a remote-access Trojan (RAT) that does it all and uses many different techniques to sneak into networks. Its wide availability in cracked forms has helped grow its popularity.

Next comes TrickMo, an Android Trojan that started out as the desktop malware TrickBot, before going mobile.

Finally we’ll have a look at Remcos, a legitimate remote-access tool that — like others — has been repurposed as a RAT that obfuscates its nature and launches advanced persistent threats (APTs).

XWorm: Shape-shifting Swiss Army RAT

Type: Modular RAT

Capabilities: Webcam spying, clipboard hijacking, ransomware-like behavior, and more

Core techniques: AMSI bypass, PowerShell/VBS loaders, USB propagation, HVNC, etc.

Threat actors: TA558, NullBuldge, UAC-0184

Distribution: Originally sold as malware-as-a-service using multiple tiers and capabilities, later widely available in free cracked versions

XWorm is extremely popular, not only because cracked versions are available for free, but because it is extremely easy to use, offers a wide variety of capabilities, and is frequently updated by its developers. This makes it very popular not only among organized, professional cybercriminal groups like TA558, NullBuldge and UAC-0184, but also among amateur hackers with limited skills and capabilities.

One of the things that makes XWorm uniquely difficult to detect is its dynamic approach to infection. It leverages a wide variety of loaders, and it cycles through a variety of file formats and scripting languages, including PowerShell, VBS, .NET executables, JavaScript, batch script, .hta, .lnk, .iso, .vhd, .img, and more to stage and load its payload. This helps it to evade conventional endpoint defenses and sandboxing tools.

TrickMo: Android Trojan with a TrickBot legacy

Type: Banking Trojan

Capabilities: Enables remote control of infected device, along with file harvesting, keystroke logging and more

Threat actors: Affiliates of the now-defunct TrickBot group

Distribution and infection: Dropper masquerades as Googe Chrome web browser that prompts user to update Google Play Services, at which point it downloads an APK file containing the TrickMo payload

Target systems: Android mobile devices

Based on the longstanding TrickBot Trojan that targets Windows desktop systems, TrickMo exemplifies the evolution from desktop to mobile malware. By prompting the user to enable accessibility services, TrickMo gains extensive capabilities to control and access the device and data stored on it.

In its most recent variants, TrickMo uses fake lockscreens and login screens to harvest user credentials. However it is also able to intercept one-time passwords, record screen interactions including unlock patterns, exfiltrate data using 22 different known command-and-control infrastructures, automatically grant permissions, and more.

It resists analysis and obfuscates its nature by using malformed .zip files for distribution, among other techniques.

Remcos: Legit remote-access tool turned rogue

Type: Commercial remote-access tool that is often abused in phishing campaigns and exploit kits

Capabilities: Enables attackers to take administrative control of targeted systems, find and exfiltrate data, and more

Threat actors: APT33, The Gorgon Group, UAC-0050

Distribution and infection: Phishing emails trick users into downloading a seemingly harmless file that contains an OLE object that exploits the remote code execution (RCE) vulnerability CVE-2017-0199.

Although the CVE-2017-0199 vulnerability has been known since 2017, unpatched systems abound, giving attackers ample opportunities to continue exploiting them.

There is an ongoing trend of attackers using commercial remote-access tools such as Remcos to take control of targeted systems for criminal purposes. While such tools have legitimate uses for IT support and for workers to remotely control office systems from off-site locations, the use of them for nefarious purposes has significant security implications.

Fighting back

Combating these attacks depends on:

• Having a robust cybersecurity infrastructure that uses AI-powered detection technologies that defeat advanced obfuscation techniques
• Ensuring users are well trained to identify suspicious emails that may be phishing attempts, and to always confirm their authenticity before taking any action
• Making sure that all systems and software are kept up to date at all times