Ddos 
Overview of the XWorm phishing campaign infection chain | Image: Fortinet
A new phishing campaign is exploiting an old vulnerability, using malicious Excel files to deploy the potent XWorm Remote Access Trojan (RAT). A recent investigation by FortiGuard Labs has uncovered a multi-stage attack that targets victims with business-themed lures, ultimately handing attackers full control over compromised Windows systems.
The attack starts with a classic social engineering tactic: a sense of urgency. Victims receive emails disguised as payment requests, purchase orders, or bank documents. Interestingly, these emails often come with a deceptive subject line claiming “Virus detected,” likely an attempt to bypass spam filters or confuse the recipient.
“These emails use common business-themed lures to encourage recipients to open the attached file,” the report explains.
Attached to these emails is a malicious Excel add-in file (.XLAM). When opened, the file exploits a known vulnerability in the Microsoft Equation Editor (CVE-2018-0802) to trigger a hidden chain reaction.
Once the exploit runs, the malware works hard to stay hidden. It downloads an HTA (HTML Application) file, which executes a PowerShell script. This script then downloads a JPEG image that contains a hidden secret: a “fileless .NET module” embedded inside the image data.
“The payload is never written to a local file; instead, it remains in the memory of the PowerShell.exe process,” FortiGuard Labs notes.
This “fileless” technique allows the malware to evade traditional antivirus scanners that look for malicious files on the hard drive. Finally, the malware uses a technique called “process hollowing” to inject the XWorm payload into a legitimate system process, Msbuild.exe, effectively masking its activity behind a trusted Windows component.
The payload, identified as XWorm version 7.2, is a Swiss Army knife for cybercriminals. It communicates with a Command and Control (C2) server using AES-encrypted packets, making its traffic difficult to inspect.
Once active, XWorm gives attackers a terrifying array of capabilities:
- System Control: “Remotely control the victim’s system using input devices (mouse and keyboard) and record the screen”.
- Surveillance: “Control the camera, microphone, and audio devices on the compromised system”.
- Data Theft: “Collect sensitive data from the victim’s device, including credentials, cookies, autofill data, login tokens… and more”.
- Ransomware & DDoS: The malware can even “Perform ransomware attacks” or control the device to launch “DDoS attacks” against other targets.
With over 50 plugins available to extend its functionality, XWorm represents a “mature and highly modular threat” that continues to evolve.
Related Posts:
- CVE-2018-0802: Microsoft Office Memory Corruption Vulnerability
- Beyond Simple Scripts: A New XWorm Campaign Uses Multi-Stage Stealth
- XWorm’s Shape-Shifting Arsenal: RAT Evolves to Deliver LockBit Ransomware, Evades Detection
- XWorm 6.0: New Variant Uses AMSI Bypass & Critical Process Trick to Evade Detection and Crash Systems
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
