XWorm 6.0: The Ultimate Data Theft Machine with Enhanced Plugins

XWorm 6.0: A Resilient Malware Threat Resurfaces with Enhanced Capabilities

The resurgence of the notorious XWorm 6.0 malware has sent shockwaves through the cybersecurity community. This sophisticated threat has evolved to include a range of malicious plugins that enable it to carry out a variety of nefarious activities.

• Webcam.dll: This plugin is designed to surreptitiously record the victim and verify the authenticity of an infected machine.
• TCPConnections.dll, ActiveWindows.dll, and StartupManager.dll: These plugins allow XWorm 6.0 to transmit information about active TCP connections, open windows, and startup programs to a remote command-and-control (C2) server.
• Ransomware.dll: With this plugin, XWorm 6.0 can encrypt files and extort users for cryptocurrency ransom, sharing code similarities with the infamous NoCry ransomware.
• Rootkit.dll: This plugin enables XWorm 6.0 to install a modified r77 rootkit, enhancing its ability to evade detection and maintain persistence on an infected system.
• ResetSurvival.dll: By employing this plugin, XWorm 6.0 can modify the Windows Registry to ensure its survival even after a device reset.

Aside from deploying these custom plugins, XWorm 6.0 has also facilitated the distribution of various other malware families, including DarkCloud Stealer, Hworm, Snake KeyLogger, Coin Miner, Pure Malware, ShadowSniff Stealer, Phantom Stealer, Phemedrone Stealer, and Remcos RAT.

A deeper analysis of the XWorm V6.0 malware reveals a concerning discovery – several XWorm V6.0 Builders on VirusTotal have themselves been infected with XWorm malware. This suggests that an XWorm RAT operator may have unwittingly fallen victim to their own creation.

The reappearance of XWorm 6.0, armed with a diverse set of plugins for activities ranging from keylogging to ransomware, serves as a stark reminder that the threat landscape is ever-evolving, and vigilance is paramount in combating malware.