Xxmm

xxmm is a malicious software (malware) that has been observed to be used in tandem with other malware types, including Daserf and Datper, by the threat group BRONZE BUTLER. These malware communicate with their command and control (C2) servers via HTTP, encrypting commands and data using specific algorithms. The xxmm malware is also known as KVNDM and operates as a downloader, featuring code similar to its main payload. It downloads additional payloads such as Daserf, Datper, or another instance of xxmm in a compressed and encoded format, typically executing the downloaded malware after decoding the file. The xxmm malware exhibits sophisticated features designed to exploit and damage targeted systems. For instance, it incorporates a User Account Control (UAC) bypass tool for privilege escalation prior to stealing passwords. Furthermore, it includes an uploading feature that enables data exfiltration. Once this process is complete, the uploader (or Datper or xxmm) immediately uses the "del" command to delete the RAR archives, thereby covering its tracks. CTU researchers have identified an xxmm builder for the malware, suggesting that threat actors are customizing the xxmm settings based on their specific targets. Several xxmm samples analyzed were found to incorporate Mimikatz, a powerful utility used for extracting plaintexts passwords, hashes, PIN codes and Kerberos tickets from memory. This allows the threat actors to issue Mimikatz commands directly from within xxmm, increasing the potency of their attacks. As of this publication, the continued use of xxmm in cyber operations underlines its efficacy as a tool for cyber exploitation and data theft.