Norman’s Nasty Comeback: Unmasking XWorm’s Process Hollowing Hijinks

XWorm isn’t new on the malware scene, but it never fails to amaze. This .Net executable, “Norman_is_back_RPE_v1.exe,” uses Process Hollowing like a magician’s sleight of hand, hiding in plain sight. It’s as if the malware said, “Norman, back at it again with the shenanigans!”

3P
Published: July 25, 2024 8:22 amAdded: July 25, 2024 at 1:46 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Looks like Norman is back from his malware hiatus with some new tricks up his binary sleeves! Just when you thought you’d seen it all, Norman_is_back_RPE_v1.exe drops in with its Process Hollowing magic act. It’s almost like malware’s version of a Houdini escape trick, but less glamorous and more, well, malicious. Grab your popcorn, folks; this one’s a doozy!

Key Points:

– XWorm is an old RAT (Remote Access Tool) repurposed in new cyber campaigns.
– The malware identified as “Norman_is_back_RPE_v1.exe” employs the Process Hollowing technique.
– The executable is oddly not obfuscated, making analysis easier.
– The malware’s first stage involves Base64-decoded embedded PE files.
– The second stage involves running a payload disguised as a legitimate .NET compiler.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?