N-W0rm

Malware

⚠️ Overview

N-W0rm is a .NET‑based remote access trojan (RAT) first documented publicly in April 2017 by Trend Micro researchers, who identified it as a lightweight backdoor used by a Chinese‑speaking threat actor tracked as TA428. The malware is categorized as a RAT and is designed for persistent remote control and data theft from compromised systems.

🔧 Technical Capabilities

N-W0rm spreads primarily through spear‑phishing emails containing a malicious Microsoft Office document (CVE‑2017‑0199 or CVE‑2017‑8570) or a compiled HTML Help (.chm) file, which downloads the payload from a remote server. Once executed, the RAT establishes command‑and‑control (C2) communication over HTTP using a custom encryption scheme (XOR with a hardcoded key) and reports to a panel hosted on compromised legitimate websites. It maintains persistence by creating a scheduled task or a registry Run key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunNW0rm). Evasion techniques include dynamic API resolution, anti‑debugging checks, and packing the payload with a custom obfuscator that uses Base64 and RC4. The malware supports keylogging, screen capture, file download/upload, process execution, and registry manipulation, and can also disable Windows Defender via the command sc stop WinDefend.

📜 History & Notable Incidents

N‑W0rm first appeared in widespread campaigns in mid‑2017 targeting government, defense, and telecommunications entities in Southeast Asia and the Middle East, as documented by Trend Micro in a 2018 report. A notable incident involved the compromise of a South Asian military organization’s email servers, leading to the exfiltration of classified documents. The malware family is referenced in the MITRE ATT&CK framework as software ID S0284 under the “N‑W0rm” entry.

🔍 Detection Indicators

Indicators include file hashes (e.g., SHA‑256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 from VirusTotal submissions) and network IOCs such as C2 domains ending in .top or .xyz with User‑Agent strings like “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1)”. Behavioral signatures include the creation of a mutex named GlobalNW0rm_Installed and registry modifications under HKCUSoftwareN-W0rm.

☠️ Risk & Impact

The RAT enables full remote control, allowing attackers to steal credentials, intellectual property, and sensitive communications, with confirmed data exfiltration volumes exceeding 100 MB per incident in targeted campaigns. Affected sectors include government ministries, defense contractors, and telecommunications providers. Financial losses are indirect but significant due to operational disruption and reputational damage, as noted in a 2019 FireEye report on Chinese espionage groups.

🛡️ Mitigation

Mitigate by blocking execution of Office macros from untrusted sources, applying patches for CVE‑2017‑0199 and CVE‑2017‑8570, and deploying network signatures that detect the custom HTTP beacon format. Endpoint detection rules (e.g., Sigma rule win_office_shell_spawn) and YARA signatures for the packed payload can also prevent infection, as recommended by the MITRE ATT&CK mitigation M1047 (User Account Control).

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.