Cyber Security Threat Summary:
“Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. Securonix, which is tracking the activity cluster under the name MEME#4CHAN, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany. ‘The attack campaign has been leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a new analysis. The report builds on recent findings from Elastic Security Labs, which revealed the threat actor's reservation-themed lures to deceive victims into opening malicious documents capable of delivering XWorm and Agent Tesla payloads” (The Hacker News, 2023).

In the latest campaign, the actors are leveraging decoy Microsoft Word document that weaponize the Follina vulnerability (CVE-2022-30190- MSDT Remote Code Vulnerability) to deploy a obfuscated PowerShell script. This script is designed to bypass Antimalware Scan Interface (AMSI), disable Microsoft Defender, establish persistence, and ultimately launch the .NET binary containing XWorm.

“Though phishing emails rarely use Microsoft Office documents since Microsoft made the decision to disable macros by default, today we're seeing proof that it is still important to be vigilant about malicious document files, especially in this case where there was no VBscript execution from macros,” stated researchers in their report.

Security Officer Comments:
For its part, XWorm spreads via USBs and is capable of performing clipper, DDoS, and ransomware operations, in addition to deploying other payloads. As of writing, attribution is unclear. Researchers did note that one of the variables in the PowerShell script deployed by the actors is named "$CHOTAbheem," which is likely a reference to Chhota Bheem, an Indian animated comedy adventure television series. As such, the individual/group responsible behind the latest attacks, could likely be of Middle Eastern/Indian origin.

“The exact origins of the threat actor are currently unclear, although Securonix said the attack methodology shares artifacts similar to that of TA558, which has been observed striking the hospitality industry in the past” (The Hacker News, 2023).

Suggested Correction(s):
Organizations should ensure that their systems are up to date and make sure to apply patches when fixes become readily available for flaws like CVE-2022-30190. With the latest campaign using phishing emails for the initial infection vector, its also important to train users/employees on how to detect such lures and avoid clicking on malicious links or attachments that come in malicious emails from unknown senders.

Link(s):
https://thehackernews.com/2023/05/xworm-malware-exploits-follina.html