Cybersecurity researchers have discovered an ongoing phishing campaign that leverages a unique attack chain to deliver XWorm malware on targeted systems.
Securonix, which tracks activity clusters by name MEME#4CHANsaid some of the attacks mainly targeted manufacturing companies and health clinics located in Germany.
“The attack campaign has leveraged PowerShell code containing a somewhat unusual meme, followed by a disguised XWorm payload to infect its victims,” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in new analysis shared with The Hacker News.
The report is built latest findings from Elastic Security Labs, which disclosed a threat actor reservation-themed feed to trick victims into opening malicious documents capable of delivering XWorm and Agent Tesla payloads.
The attack started with a phishing attack to distribute Microsoft Word decoy documents that, instead of using macros, weaponized the Follina vulnerability (CVE-2022-30190, CVSS score: 7.8) to drop obfuscated PowerShell scripts.
From there, threat actors abuse PowerShell scripts to bypass the Antimalware Scan Interface (AMSI), disable Microsoft Defender, build persistence, and finally launch the .NET binary that contains the XWorm.
Interestingly, one of the variables in the PowerShell script is named “$CHOTAbheem”, which is what it likely refers to chhota bheemIndian animated comedy adventure television series.
“Based on a quick check, it appears that the individual or group responsible for the attack may have a Middle Eastern/Indian background, although the latter attribution is yet to be confirmed,” the researchers told The Hacker News, indicating that the keywords could also be used as a cover-up.
XWorms are commodity malware which is advertised for sale on underground forums and comes with various features that allow it to siphon sensitive information from infected hosts.
This malware is also a Swiss Army knife as it can perform clipper, DDoS, and ransomware operations, spread via USB, and drop additional malware.
The exact origin of the threat actor is currently unclear, although Securonix says the attack methodology shares artifacts similar to TA558, which has been observed attacking the hospitality industry in the past.
“While phishing emails rarely use Microsoft Office documents since Microsoft made the decision to disable macros by default, today we saw evidence that it remains important to be aware of malicious document files, especially in this case where there is no VBscript execution of the macro,” the researchers said. researcher.