Xloader Malware Delivered via Sophisticated SharePoint Attack

The Sublime Threat Research Team has uncovered a malicious SharePoint impersonation campaign delivering Xloader malware, also known as Formbook, through an intricate link-based attack. This sophisticated operation relied on brand impersonation, layered obfuscation, and advanced process injection to evade detection and compromise systems.

The attack started with an email posing as a legitimate SharePoint message, featuring a fake “Open Files” button. This link redirected users to a malicious .zip file hosted outside SharePoint. The contents revealed a binary named document.exe, leading to further malicious activity.

Sublime’s advanced detection capabilities flagged the message due to multiple suspicious indicators, including:

• Microsoft brand impersonation: Fake logos and SharePoint templates were detected using computer vision.
• Unusual sender domains: The sender domain did not match link destinations.
• Credential theft language: The message included social engineering language designed to harvest credentials.

“Sublime’s LinkAnalysis service followed the URL and redirects, downloaded the files at the destination, exploded the file, and analyzed it for attempts to deliver malware,” the team stated.

The malicious document.exe file was analyzed and identified as an AutoIT script, a legitimate scripting language often abused by attackers. According to Sublime’s analysis:

• The AutoIT script contained obfuscated shellcode, which leveraged key anti-analysis tricks such as the GetTickCount and Sleep methods to evade emulation.
• Using Ghidra and x32dbg, researchers observed the script injecting itself into processes like svchost.exe and netsh.exe, a hallmark of malware loaders.
• A unique file, labeled “lecheries”, was identified in the temp directory, enabling further tracking of the malware’s behavior.

The presence of critical APIs such as CreateProcessW, VirtualAlloc, and SetThreadContext suggested sophisticated process injection, an evasion technique often associated with malware families like Xloader.

Through deeper dynamic analysis and OSINT validation, Sublime’s researchers linked the payload to Xloader, an infamous information stealer known for:

• Credential theft (harvesting keystrokes, user credentials, and screenshots).
• Multiple process injections, notably into explorer.exe.
• Double loading of ntdll.dll for evasion, a known tactic for bypassing detection tools.

These findings were corroborated by previous Xloader research, including blogs by Zscaler and Vlad Baglai, which detailed similar tactics involving Base64 registration strings prepended with “PKT2.”

Interestingly, Sublime’s analysis also pointed to TrickGate, a well-documented malware packer that has been active for years. TrickGate has a known history of:

• Deploying Xloader/Formbook as its payload.
• Leveraging AutoIT for initial infection stages.

With moderate confidence, the team stated: “The initial AutoIT and shellcode components are related to TrickGate. TrickGate has been documented specifically deploying Xloader and utilizing techniques with high similarity to our sample.”

Related Posts:

• Sublime, Vim, Emacs, Gedit, pico/nano text editor exisit privilege escalation vulnerability
• Microsoft’s September Patch Tuesday: A Patchwork of Urgency with 4 Zero-Days Under Attack
• CVE-2024-38094 Exploited: Attackers Gain Domain Access via Microsoft SharePoint Server
• Privilege Escalation with Microsoft SharePoint Server PoC + Exploit