HQ/EMEAFind out how we can help your business
A newly discovered phishing campaign has leveraged the Follina vulnerability to distribute the XWorm malware on targeted systems. Researchers who tracked the attack cluster named it MEME#4CHAN.
According to researchers, some of the attacks of the current cybercriminal campaign has targeted healthcare clinic and manufacturing companies in Germany. The attack leverages meme-packed PowerShell code, followed by an obfuscated XWorm payload to infect its victims.
A separate researcher backed the new findings by revealing that the threat actors adopt reservation-themed lures to prompt victims into accessing malicious documents that could deliver Agent Tesla and XWorm payloads.
The XWorm malware operators start their attacks through a phishing campaign.
The XWorm malware attackers initiated their attack through a phishing campaign that spreads decoy MS Word documents that weaponises the Follina vulnerability instead of using macros. Next, the flaw would allow the attackers to drop an obfuscated PowerShell script.
The threat actors could then exploit the PowerShell script to avoid anti-malware solutions, deactivate MS Defender, establish persistence, and deploy the [.]net binary that contains the XWorm malware.
The attack also hints at its origins after the researchers observed some variables in the PowerShell script named $CHOTAbheem. The term is a direct reference to an Indian animated comedy adventure TV series titled Chhota Bheem, implying that the malware operators could be Indians.
However, the researchers could not conclude the allegations since they have only identified the campaign as an attack from Middle Eastern or Indian territory. Hence, the final attribution of the attack is not yet confirmed.
XWorm is a commodity malware that its developers advertise on underground forums. The malware includes various capabilities that enable it to harvest sensitive data from infected hosts. It is a versatile tool that could be used as a clipper, DDoS, and ransomware that spreads through USBs and drops additional malware strains.
The backgrounds of the malware operators are still unclear. However, the researchers claimed that the attack methodology of the campaign overlaps with the TA558 group, a notorious gang that targets the hospitality sector.
