May 12, 2023Ravi LakshmananCyber ​​Threat/Malware

Cybersecurity researchers have discovered an ongoing phishing campaign that utilizes a unique attack chain to deliver XWorm malware to targeted systems.

We track activity clusters under the name Securonix. Meme #4-chanSome of the attacks were primarily aimed at manufacturing companies and medical clinics located in Germany, according to the company.

“The attack campaign utilizes rather unusual meme-laden PowerShell code, which is then infected with a highly obfuscated XWorm payload,” said security researchers Den Iuzvyk, Tim Peck and Oleg Kolesnikov. said. Said In a new analysis shared with HackerNews.

The basis of the report is Recent discoveries A report from Elastic Security Labs uncovered the lure of reservation-themed threat actors tricking victims into opening malicious documents capable of delivering XWorm and Agent Tesla payloads.

cyber security

Instead of using macros, this attack is a phishing distributing decoy Microsoft Word document that drops an obfuscated PowerShell script, weaponized with the Follina vulnerability (CVE-2022-30190, CVSS score: 7.8) Start with an attack.

From there, the attacker abuses a PowerShell script to bypass the antimalware scanning interface (AMSI), disable Microsoft Defender, establish persistence, and finally launch a .NET binary containing XWorm.

XWorm malware

Interestingly, one of the variables in the PowerShell script is named “$CHOTAbheem”, which is likely a reference to: Chota Beaman Indian animated comedy-adventure television series.

The researchers told HackerNews, “A quick look suggests that the individual or group involved in the attack may have a Middle Eastern or Indian background, but final attribution has yet to be confirmed. ‘ and pointed out that such keywords were included. It can also be used as a cover.

The X-worm is commodity malware It is advertised for sale on underground forums and comes with a wide range of features that allow it to siphon sensitive information from infected hosts.

upcoming webinars

Learn how to stop ransomware with real-time protection

Join our webinar to learn how to stop ransomware attacks using real-time MFA and service account protection.

Reserve your seat!

This malware is also a Swiss Army knife in that it can perform clipper, DDoS and ransomware operations, spread via USB and drop additional malware.

The exact origin of the threat actor is currently unknown, but Securonics said the attack technique contains artifacts similar to TA558, which has been observed to hit hospitality industries in the past.

“Since Microsoft made the decision to disable macros by default, Microsoft Office documents are rarely used in phishing emails, but today we have seen cases of malicious document files, especially VBscript execution, in this case. We still see evidence that it’s important to be vigilant, macro,” the researchers said.

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog