New YARA rule for win.xworm: Trojanized TaskScheduler.dll loader variant

Summary

I'd like to contribute a YARA rule for the win.xworm family that detects a loader variant not covered by the existing win_xworm_w0 rule (which targets the XWorm RAT client itself). This rule targets the trojanized .NET loader DLL used in the delivery chain.

Loader Description

The loader is a trojanized copy of the legitimate dahall/taskscheduler v2.12.2.0 NuGet package (Microsoft.Win32.TaskScheduler.dll) with 205 injected malicious namespaces containing:

• Process hollowing via HackForums.gigajew.Mandark RunPE (sourced from HackForums)
• 6-vector WMI VM detection (VirtualMachineDetector) including hardcoded QEMU MAC 52:54:00:4A:04:AF
• CMSTP UAC bypass with embedded CorpVPN INF template
• 3 persistence mechanisms: scheduled task (PowerShell), WScript, registry Run key
• ConfuserEx obfuscation with switch-based control flow flattening
• Portuguese-language debug strings indicating Brazilian developer origin

Reference Sample

Artifact	Value
MD5	34e90568af4dcd40f4f04174ec326e2a
Type	.NET DLL (PE32), CIL, CLR v4.0.30319
Size	1,132,032 bytes
PDB	Microsoft.Win32.TaskScheduler.pdb
C2 (final payload)	31.40.204.103:1990 (ThreatFox IOC #1750411)
Final payload SHA256	b73ce45f837e67b2f81565c63c8601ec0b89360101331f89fc6821e2fb60a7f6 (XWorm RAT, 60/76 VT)

Proposed YARA Rule

rule XWorm_Loader_TaskScheduler_Trojan {
    meta:
        description = "Detects XWorm .NET loader trojanized as Microsoft.Win32.TaskScheduler.dll with 205 injected malicious namespaces including HackForums.gigajew.Mandark RunPE, VirtualMachineDetector, and CMSTP UAC bypass"
        author = "Lenard-Code"
        date = "2026-03-10"
        malpedia_family = "win.xworm"
        hash = "34e90568af4dcd40f4f04174ec326e2a"
    strings:
        $ns1 = "HackForums.gigajew" ascii
        $ns2 = "Mandark" ascii
        $ns3 = "VirtualMachineDetector" ascii
        $s1 = "Bypass executado com sucesso!" wide
        $s2 = "Erro ao executar o bypass." wide
        $s3 = "Baixar e executar o PuTTY" wide
        $s4 = "52:54:00:4A:04:AF" wide
        $s5 = "CorpVPN" wide
        $s6 = "conhost.exe" wide
        $s7 = "EnableLUA" wide
        $pdb = "Microsoft.Win32.TaskScheduler.pdb" ascii
        $api1 = "ZwUnmapViewOfSection" ascii
        $api2 = "VirtualAllocEx" ascii
        $api3 = "WriteProcessMemory" ascii
    condition:
        uint16(0) == 0x5A4D and
        (
            ($ns1 and $ns2) or
            ($ns3 and 1 of ($api*)) or
            (3 of ($s*)) or
            ($pdb and 2 of ($api*))
        )
}

Update (2026-03-13): Fixed unreferenced $ns3 string that caused YARA 4.x strict mode compilation failure. Added ($ns3 and 1 of ($api*)) condition branch. Rule validated against reference sample — all 14 strings match.

Why This Rule Is Needed

The existing win_xworm_w0 rule by jeFF0Falltrades targets the XWorm RAT client binary (looking for strings like "xworm", "XClient", "XLogger"). This proposed rule targets the upstream loader/dropper DLL — catching the infection earlier in the kill chain before the RAT payload is deployed. The two rules are complementary.

MITRE ATT&CK Coverage

T1055.012 (Process Hollowing), T1036.005 (Masquerading), T1497.001 (VM Detection), T1218.003 (CMSTP), T1547.001 (Registry Run Keys), T1053.005 (Scheduled Task), T1027.003 (Steganography)

Also Submitted To

• ThreatFox — IOCs accepted (C2, hashes)
• YARAify — This YARA rule submitted