An attack leveraging the legitimate developer tool PyInstaller to conceal XWorm malware has been discovered by researchers at Point Wild, HackRead reports.The attack begins with deceptive emails or fake software updates containing a seemingly harmless file. This file is then bundled with malicious code using PyInstaller, a tool developers use to create executable applications from scripts. In this scenario, PyInstaller is repurposed as a delivery mechanism for the XWorm malware. Once the victim opens the file, a compiled script runs in the background, evading detection. Researchers found a routine called "_IAT_PHANTOM_FIX" which appears to be dummy code designed to hinder analysis. The malware employs AMSI Memory Patching to disable Windows' threat scanning capabilities, allowing it to unpack its main payload.This payload is encrypted and hidden within the file, later unscrambling itself and hiding in the %LOCALAPPDATA% folder under a deceptive name, "Win.Kernel_Svc_AJ8iOw.exe," while also being marked as a hidden system file. Version XWorm V7.4 then establishes a connection to a remote server using an AES secret key, enabling attackers to steal passwords, access files, activate webcams, launch DDoS attacks, or gain full remote control of the compromised device.Source: HackRead
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds