Recently I noticed the news about AI-generated malware which was hidden in images with pandas. While the main purpose of the malware is “only” cryptomining, it uses several interesting techniques which are not so common for coinminers. It uses nicely formatted and commented setup script (generated by AI). It supports wide variety of coinminers for various cryptocurrencies and for GPU and different CPU architectures. Its another component, hideproc, tries to hide the Koske miner from file listings and processes.

When I looked on recent public submissions on Any.Run this week, my attention was attracted by XWorm samples with tags “stegocampaign”. Quick review of analysis reports reveal simple, yet interesting infection chain. It contains Visual Basic script, PowerShell script, picture with Base64-encoded executable and the XWorm RAT itself. Those payloads have been downloaded from online hosting services such as Pastebin or Firebase. Moreover, they have been downloaded via HTTPs, so basic network analysis does not reveal the content nor the URL links, however, there are some simple methods how to reveal the real URLs.