How Hackers Use Plain Images to Deliver Malware | Xworm Analysis with Any.Run

This post provides an in-depth analysis of a recent cyber attack known as the StegoCampaign, where hackers used PDF and image files to deliver malware named Xworm. This malware is categorized as a multi-functional threat, serving as both a remote access trojan (RAT) and a worm, capable of executing ransomware, stealing sensitive information, and establishing persistence within compromised systems.

How Steganography is Used in Cyberattacks?

Steganography is the art of hiding data inside other files (like images, audio, or video) in a way that makes the data invisible. Cybercriminals use this technique to smuggle malware past security systems and deliver it to target machines.

How Hackers Use Steganography in Cyberattacks

1️.Attackers send an innocent-looking file (like an image or PDF) to a victim.

• The image appears normal to the human eye, but it contains malicious code hidden inside it.

2️.The victim’s machine opens the file, and a script extracts the hidden payload.

• This script may run automatically if executed via PowerShell or Visual Basic Script (VBS).

3️.The extracted malware runs on the victim’s system, often bypassing antivirus detection.

• Since the malware wasn’t directly attached, traditional signature-based detection systems may not flag it.

4️.The malware then contacts a remote server (C2 server) to download additional malicious payloads.

Dissecting The Xworm

We will use ANY.RUN to analyze the sample. ANY.RUN is an interactive malware analysis sandbox that provides security professionals with real-time insights into malware behavior. It allows analysts to execute and monitor suspicious files in a controlled environment, helping them detect, analyze, and understand cyber threats.

Initial Stage – Phishing Email with a PDF Attachment

• The attack starts with a phishing email sent to a victim.
• The email contains an attachment, reported to be either:
  • A PDF file (as analyzed in the video).
  • An Excel attachment (mentioned but not analyzed in depth).

How the PDF Tricks the User

• The PDF file contains a message instructing the victim to:
  • Click on a link to install a “graphics extension” to view the PDF.
  • The user is told to download and install a required file.

User Clicks the Link – Malicious File Downloaded

• When the victim clicks the link inside the PDF, their browser opens a URL hosted on sendspace.com.
• The downloaded file is named “PDF Graphics.Bridge”, which is a Windows registry (.reg) file.

Registry File Execution and System Modification

• The victim opens the registry file (thinking it is required for the PDF to work).
• This adds malicious registry entries that:
  • Modify Windows startup settings.
  • Ensure that a malicious command is executed on system reboot.

Execution of Malicious Visual Basic Script (VBS)

• The maze.vbs script is executed using Windows Script Host (WScript.exe).
• This script then:
  • Executes another hidden PowerShell script.
  • Calls an external command-and-control (C2) server (32005.filemail.com).
  • Downloads another Base64-encoded payload.

Image-Based Payload Delivery

• The malware uses steganography (hiding code inside an image file).
• The Base64-encoded payload is extracted and decoded.
• The decoded payload is then injected into a legitimate system process (addinprocess32.exe).

Process Injection and Malware Execution

• The addinprocess.exe is a trusted Microsoft process, which the attacker exploits to avoid detection.
• Once infected, this process:
  • Communicates with a C2 server.
  • Receives further commands and payloads.
  • Establishes persistent access to the compromised machine.

Command-and-Control (C2) Communication

• The infected machine connects to the attacker’s server (94.xxx.xxx.46).
• The system then:
  • Waits for further instructions.
  • Can be used for data exfiltration, additional payload delivery, or ransomware deployment.

Key Findings and Indicators of Compromise (IOCs)

💡 Indicators of Compromise (IOCs) collected from the analysis:

• Malicious domains and URLs:
  • support.zyx.free.HR
  • 32005.fila.com
  • sendspace.com (used for file delivery)
• Suspicious processes created:
  • WScript.exe executing maze.vbs
  • PowerShell running with execution policy bypass
  • addinprocess.exe hooked with malware
• Malware execution techniques used:
  • Registry modification for persistence.
  • PowerShell execution bypassing security settings.
  • Process injection into a legitimate system file.
  • Communication with a C2 server for further attack instructions.

Threat Intelligence & Indicators of Compromise

To investigate the phishing emails:

• Email headers & sender domains are analyzed to check if they originate from known bad sources.
• Splunk is used to correlate the email domains and user interactions.
• Threat intelligence tools such as VirusTotal and ANY.RUN Sandbox help identify malicious domains or attachments.

Why ANY.RUN is a Recommended Sandbox in Malware Analysis?

1. Real-Time Malware Execution and Behavioral Analysis

• ANY.RUN executes malware samples in a virtualized environment where analysts can interact with the malware just as a user would in a real-world scenario.
• The platform captures process execution, network activity, file system changes, and registry modifications in real time.

 2. File and Process Inspection

• ANY.RUN dissects malicious files, such as executables (.exe), scripts (.vbs, .ps1), and documents (PDF, DOCX, XLSX), revealing hidden payloads.
• It allows security analysts to track which processes were spawned, including hidden PowerShell or command-line executions.
• In the case of Xworm, Any.Run helped track how the registry modification file (.reg) was used to establish persistence.

 3. Threat Intelligence Integration

• ANY.RUN is connected to Threat Intelligence databases, allowing security analysts to check if a file, URL, or IP address has previously been flagged as malicious.
• It identifies Indicators of Compromise (IoCs) such as file hashes, registry keys, and C2 server IPs, which are critical for mitigating threats.
• For instance, in this attack, Any.Run flagged the C2 server IP address (94.xxx.xxx.46) as suspicious, indicating that it was already associated with malware campaigns.

 4. Network Traffic Analysis and C2 Communications Detection

• The tool monitors and records outbound network requests, helping analysts identify C2 (Command and Control) communications.
• In the case of Xworm, Any.Run helped track how PowerShell was used to retrieve additional payloads from support.zyx.free.HR.
• This enables security teams to block malicious domains and update firewall rules to prevent future infections.

 5. Automation and API Integration for Threat Detection

• Many SOC (Security Operations Centers) integrate Any.Run with automated threat-hunting tools, allowing them to detect and respond to threats faster.
• Analysts can submit suspicious files or URLs for automatic analysis, reducing the time needed to manually investigate potential malware threats.

 6. Interactive Analysis with Simulated User Behavior

This human-driven approach helps uncover hidden malware behavior that would otherwise remain undetected in fully automated analysis tools.

Unlike traditional sandboxes, ANY.RUN allows real-time interaction—analysts can manually open files, click on phishing links, and interact with malware as if they were the victim.

What’s Special About The Stegocampaign?

Uses “Steganography” – The malware is hidden inside an image file.
Bypasses Security Measures – Since the attack starts with a seemingly harmless PDF, many antivirus tools may not detect it.
Uses Windows System Processes – By injecting itself into a legitimate Windows process (addinprocess.exe), it avoids suspicion.

What is Process Injection?

Process injection is a stealthy malware technique used by attackers to execute malicious code inside legitimate system processes. This method helps malware evade detection by antivirus software because the infected process appears to be a normal, trusted Windows application.

 Why do attackers use process injection?

• Bypass security tools (firewalls, antivirus, endpoint protection).
• Run malicious code with higher privileges.
• Avoid detection by hiding within legitimate system processes.

 How Process Injection Was Utilized in the Stegocampaign

In the SEO campaign attack from the video, the malware injected itself into addinprocess.exe, a legitimate Microsoft process. Here’s how it worked:

1️.Execution of a Malicious PowerShell Script

• The malware used PowerShell with execution policy bypass to download and execute further payloads.

2️.Retrieving a Steganographic Image

• The payload was encoded within an image file.
• The PowerShell script extracted the payload and decoded it.

3️.Injecting the Payload into addinprocess.exe

• Instead of running the malware as a separate process (which would be easy to detect), the attackers hijacked a trusted system process.
• The malware loaded itself into the memory of addinprocess.exe, effectively taking over the process.

4️.Persistence & Evasion

• Since addinprocess.exe is a legitimate Windows process, security tools were less likely to flag it as suspicious.
• The injected malware established communication with a C2 server, allowing the attacker to send commands.

Common Process Injection Techniques

Attackers use several different techniques to inject malicious code into legitimate processes. Here are some of the most well-known ones:

1️. DLL Injection

• A malicious Dynamic Link Library (DLL) is injected into a running process.
• The process unknowingly loads the DLL and executes its malicious functions.
• Often used in banking trojans, keyloggers, and RATs (Remote Access Trojans).

rundll32.exe malicious.dll, EntryPoint

2. Code Injection via CreateRemoteThread

• The attacker allocates memory inside a legitimate process.
• A new thread is created to execute the malicious code.
• Used in many modern trojans, keyloggers, and spyware.

Example (C++ code snippet for injection into Notepad.exe):

HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetProcessID);
LPVOID remoteBuffer = VirtualAllocEx(hProcess, NULL, payloadSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, remoteBuffer, payload, payloadSize, NULL);
CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);

Detection:

• Monitor for unexpected CreateRemoteThread API calls.
• Look for unusual memory allocations inside legitimate processes.

3️. Process Hollowing

• A legitimate process is started in a suspended state.
• The attacker removes the original code from memory and replaces it with malicious code.
• The process then runs as normal but executes the attacker’s malware.

Example:
Attackers may start svchost.exe in a suspended state, remove its original code, and replace it with malware.

Detection:

• Look for processes running in a suspended state for too long.
• Monitor for unexpected parent-child process relationships.

4️. APC Injection (Asynchronous Procedure Call) 🚀

• The attacker queues a malicious function to be executed inside a legitimate process.
• When the target process performs certain operations, the malicious function executes.

💡 Detection:

• Monitor for APC injections into high-value processes like explorer.exe, winlogon.exe, or lsass.exe.

5️ PE Injection (Portable Executable Injection)

• The attacker injects a full PE (executable) file into the memory of another process.
• Unlike DLL injection, this does not rely on loading external files, making it harder to detect.

Example:

• Malware downloads an encrypted payload.
• Decrypts it in memory and injects it into explorer.exe.

💡 Detection:

• Monitor for unusual memory modifications inside system processes.
• Track process integrity changes in security logs.

How to Detect & Prevent Process Injection Attacks

Defending against process injection requires a mix of behavioral analysis, endpoint security, and threat intelligence.

 1. Monitor Suspicious System Processes

• Watch for unexpected execution of rundll32.exe, powershell.exe, wscript.exe, and svchost.exe.
• Check for new threads created in running processes (especially security-critical processes like lsass.exe).

 2. Enable Attack Surface Reduction (ASR) Rules

• In Windows Defender, enable ASR rules to block process injection attempts:

Set-MpPreference -AttackSurfaceReductionRules_Ids d4f940ab-401b-4efc-aadc-ad5f3c50688a -AttackSurfaceReductionRules_Actions Enabled

This rule prevents legitimate system processes from loading malicious code.

 3. Use EDR (Endpoint Detection & Response) Solutions

• Tools like Microsoft Defender ATP, CrowdStrike, or SentinelOne can track process injection behavior in real-time.

 4. Monitor Process Memory & API Calls

• Use Sysmon (System Monitor) to log suspicious API calls:
  • CreateRemoteThread
  • VirtualAllocEx
  • WriteProcessMemory
• Configure Splunk, ELK, or SIEM tools to flag these activities.

 5. Block Unnecessary PowerShell ExecutionRestrict PowerShell execution policies to prevent script-based injection:

Set-ExecutionPolicy Restricted -Scope LocalMachine

Monitor for PowerShell commands using -ExecutionPolicy Bypass.

Conclusion

In this detailed examination, we demonstrated how attackers conceal XWorm malware within image files, exploiting the unsuspecting nature of such media. The analysis reveals the process of embedding malicious payloads into images and the subsequent execution upon opening these files. By leveraging the ANY.RUN platform, the study showcases real-time detection and analysis of the malware’s behavior, emphasizing the importance of proactive monitoring and advanced threat detection tools. The article concludes with recommendations for enhancing security measures to prevent such stealthy attacks, including regular system updates, employee training, and the implementation of robust security protocols.

Video Walkthrough