XWorm Malware Exploits Follina Vulnerability in New Wave of Assaults

Could 12, 2023Ravie LakshmananCyber Menace / Malware

XWorm Malware

Cybersecurity researchers have found an ongoing phishing marketing campaign that makes use of a novel assault chain to ship the XWorm malware on focused techniques.

Securonix, which is monitoring the exercise cluster underneath the identify MEME#4CHAN, stated among the assaults have primarily focused manufacturing companies and healthcare clinics situated in Germany.

“The assault marketing campaign has been leveraging somewhat uncommon meme-filled PowerShell code, adopted by a closely obfuscated XWorm payload to contaminate its victims,” safety researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov stated in a brand new evaluation shared with The Hacker Information.

The report builds on recent findings from Elastic Safety Labs, which revealed the menace actor’s reservation-themed lures to deceive victims into opening malicious paperwork able to delivering XWorm and Agent Tesla payloads.


The assaults start with phishing assaults to distribute decoy Microsoft Phrase paperwork that, as an alternative of utilizing macros, weaponize the Follina vulnerability (CVE-2022-30190, CVSS rating: 7.8) to drop an obfuscated PowerShell script.

From there, the menace actors abuse the PowerShell script to bypass Antimalware Scan Interface (AMSI), disable Microsoft Defender, set up persistence, and finally launch the .NET binary containing XWorm.

XWorm Malware

Apparently, one of many variables within the PowerShell script is called “$CHOTAbheem,” which is probably going a reference to Chhota Bheem, an Indian animated comedy journey tv collection.

“Based mostly on a fast test, it seems that the person or group liable for the assault may have a Center Japanese/Indian background, though the ultimate attribution has not but been confirmed,” the researchers advised The Hacker Information, mentioning that such key phrases may be used as a canopy.

XWorm is a commodity malware that is marketed on the market on underground boards and comes with a variety of options that enables it to siphon delicate data from contaminated hosts.


Be taught to Cease Ransomware with Actual-Time Safety

Be a part of our webinar and learn to cease ransomware assaults of their tracks with real-time MFA and repair account safety.

Save My Seat!

The malware can also be a Swiss Military knife in that it could actually carry out clipper, DDoS, and ransomware operations, unfold through USB, and drop further malware.

The precise origins of the menace actor are presently unclear, though Securonix stated the assault methodology shares artifacts just like that of TA558, which has been noticed hanging the hospitality business prior to now.

“Although phishing emails hardly ever use Microsoft Workplace paperwork since Microsoft made the choice to disable macros by default, in the present day we’re seeing proof that it’s nonetheless vital to be vigilant about malicious doc information, particularly on this case the place there was no VBscript execution from macros,” the researchers stated.

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.