Dodging sandboxes and scanners: The attackers relied on well-known evasion techniques throughout the chain, including API hashing to hide intent, API calls that bypass user-mode hooks installed by security software, and multiple encryption layers inside .NET DLLs.”The DLL file uses several encryption techniques for analysis to be difficult, such as RSACryptor, Virtualization, Fake.cctor, and many more,” Kumar noted.Forcepoint analysis revealed that malware samples made API calls like “UrlDownloadToFile” and “LoadLibraryW” to execute code directly from memory in an attempt to beat conventional scanners. Additionally, the analysis flagged use of resource-embedded steganographic payloads, a common .NET trick to smuggle bytes into a benign-looking binary.Recommended controls for protecting against XWorm-like campaigns include monitoring for unusual Office attachment types (especially .xlam with OLE native streams), inspecting processes that invoke UrlMon/UrlDownloadToFile followed by in-memory leads, and deploying runtime memory-scanning and EDR rules that detect reflective DLL injection and “unhooked” invocation patterns. The blog included a list of indicators of compromise (IoCs) to set detection for. Earlier this month, researchers reported fileless malware picking up an open-source upgrade in the form of AsyncRAT that ran PowerShell commands to fetch and assemble .NET payloads in memory.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4064720/xworm-campaign-shows-a-shift-toward-fileless-malware-and-in-memory-evasion-tactics.html
