Security experts have detected an ongoing phishing campaign that employs a distinctive attack chain to distribute the XWorm malware. Dubbed MEME#4CHAN, this cluster of malicious activity has been observed targeting manufacturing and healthcare companies based in Germany.
What’s happening in the campaign?
The attack campaign has been using an unusual meme-filled PowerShell code. The code is followed by a heavily obfuscated XWorm payload to target its victims.
A report has revealed that the attackers used hotel reservation-themed lures to fool victims into opening malicious documents. The documents deliver Agent Tesla and XWorm payloads.
To spread the decoy Word documents, the attackers use phishing tactics that exploit the Follina vulnerability (CVE-2022-30190) and drop an obfuscated PowerShell script.
This script is then abused to disable Microsoft Defender, evade Anti-malware Scan Interface (AMSI), establish persistence, and launch the .NET binary containing XWorm.
XWorm’s capability
XWorm is a type of commodity malware that comes with a wide range of features and can be easily obtained on underground forums. This malicious program allows attackers to collect sensitive information from infected victims and also to perform a variety of other malicious actions, such as launching DDoS attacks, carrying out ransomware operations, or dropping additional payloads onto the compromised machine.
Who’s behind the campaign?
Notably, one of the variables used in the PowerShell script is named ‘$CHOTAbheem’. This variable is a reference to an Indian animated comedy adventure television series known as Chhota Bheem.
According to experts, it seems that the group or an individual responsible for the attack could have a Middle Eastern/Indian background. However, the final attribution is not confirmed yet.
Moreover, the attack methodology shares artifacts similar to the financially motivated group TA558, which has targeted the hospitality sector in the past.
Conclusion
Despite Microsoft having disabled macros by default, attackers are increasingly exploiting the Follina vulnerability. This highlights the importance of keeping security patches up to date. It's also important to remain vigilant in case VBScript execution is not occurring from macros.