Some researchers Cyber security experts have discovered an ongoing phishing campaign that uses a series of attacks to spread the XWorm malware into some computer systems.
Xworm, a very curious malware
Securonix, that’s it monitoring the business cluster with the name MEME#4CHAN, said some of the attacks mainly targeted manufacturing companies and health clinics located in Germany.
“The attack campaign used PowerShell code filled with rather unusual memes, followed by a heavily obfuscated XWorm payload to infect its victims“, they have said security researchers Den Iuzvyk, Tim Peck and Oleg Kolesnikov in their analysis.
The report is based on recent discoveries by Elastic Security Labs, which revealed reservation-themed lures used by attackers to trick victims into clicking on malicious documents capable of transmitting XWorms and Agent Tesla.
The attacks begin with phishing scams to distribute decoy Microsoft Word documents that, instead of using macros, take advantage of the Follina vulnerability (CVE-2022-30190, CVSS score: 7.8) to drop a well camouflaged PowerShell script.
From there, the threat actors abuse the PowerShell script to bypass the Malware Scanning Interface (AMSI), disable Microsoft Defender, establish persistence, and finally launch the .NET binary containing XWorm.
Interestingly, one of the variables in the PowerShell script is called “$CHOTAbheem”, probably a reference to Chhota Bheeman Indian animated adventure comedy television series.
“Based on a quick check, it appears that the individual or group responsible for the attack may have Middle Eastern/Indian origin, although the final attribution has not yet been confirmedthe researchers said at, highlighting that such keywords could also be used as a hedge.
XWorm is malware from commodity type which is advertised for sale on niche forums and has a wide range of features that allow it to steal sensitive information from infected hosts.
The malware is also a Swiss army knife as it can perform clipper, DDoS and ransomware operations, spread via USB and drop additional malware.
The exact origins of the malware authors are currently unclear, although Securonix said the attack methodology shares artifacts similar to those of TA558which has been observed affecting the hospitality industry in the past.
“Anthat while phishing emails rarely use Microsoft Office documents since Microsoft decided to disable macros by default, today we see evidence that it’s still important to be vigilant about malicious document files, especially in this case where they don’t there was execution of VBscript from macrosthe researchers said.
Be careful what you download and what you buy on the internet
This fact highlights the importance of being aware of cyber risks and remaining vigilant when receiving suspicious emails or attached documents from untrusted sources. It also demonstrates how cyberattacks are becoming more sophisticated and targeted, with the use of advanced malware and social engineering techniques.
It is important for businesses to adopt a proper cyber security strategy to protect their data and systems from such threats.
Among other things, you also need to be careful about what you buy “off the books” over the internet, maybe you expect a finished GTA V account, but you find yourself Xworm, to understand.
#Xworm #curious #phishing #malware #memes