The XWorm malware campaign has been identified as a significant threat targeting businesses in Brazil and across Latin America. This operation employs fake financial receipts to distribute XWorm v5.6, a sophisticated remote access trojan (RAT) with capabilities to steal credentials, hijack user sessions, and facilitate ransomware attacks.
Deceptive Distribution Techniques
Researcher Moises Cerqueira uncovered that the campaign begins with a deceptive file named to resemble a Bradesco bank receipt. This file uses a double-extension trick (.pdf.js) to disguise itself as a legitimate PDF, tricking unsuspecting users into opening it. However, the file is actually a Windows Script Host (WSH) dropper, inflated to approximately 1.2MB to evade static analysis by security scanners.
The embedded JavaScript payload is obfuscated using Unicode junk injection, embedding harmful logic within strings filled with emojis and non-ASCII characters. This obfuscation tactic is designed to bypass standard security controls and ensure the malware’s successful execution.
Advanced Malware Execution Strategy
Once executed, the malware uses PowerShell commands to download additional stages from a Cloudinary URL, a trusted image hosting service. This stage involves downloading an image file that conceals a .NET assembly, bypassing traditional antivirus checks through a fileless execution technique.
The subsequent stages involve reconstructing the malicious payload using a delimiter-based method and leveraging Windows Management Instrumentation (WMI) to execute PowerShell commands discreetly. This method minimizes visibility and enables the malware to operate without drawing attention from standard security monitoring tools.
Implications and Defense Strategies
The final stage involves the deployment of XWorm v5.6, which uses the legitimate CasPol.exe binary to blend with trusted processes. This ‘Living off the Land’ technique allows the malware to avoid detection while accessing sensitive information, such as browser sessions and credentials.
Security experts recommend organizations implement monitoring controls to detect such sophisticated attacks. This includes alerting on double-extension files initiating PowerShell processes, flagging suspicious network traffic, and thoroughly investigating any anomalies involving CasPol.exe.
To mitigate risks, businesses should prioritize real-time threat detection and response capabilities. By understanding the tactics employed in this campaign, organizations can better defend against similar threats and protect their critical assets from cybercriminal activities.
