Sophisticated XWorm RAT Campaign Exploits Phishing and Excel Vulnerabilities to Evade Detection
A recent cybersecurity investigation has uncovered a sophisticated phishing campaign deploying an updated variant of XWorm, a Remote Access Trojan (RAT) that grants attackers full control over compromised Microsoft Windows systems. Initially identified in 2022, XWorm continues to be actively distributed, often circulating through Telegram-based marketplaces, making it readily accessible to a wide range of cybercriminals.
Phishing Tactics and Themed Lures
In this latest campaign, attackers have employed business-themed email lures to deceive recipients into opening malicious attachments. These emails, crafted to appear as legitimate communications, include subjects such as payment detail reviews, purchase orders, and signed shipment documents. The primary objective is to entice targets into opening an attached Excel add-in file with the .XLAM extension.
Exploitation of CVE-2018-0802
Upon opening the malicious .XLAM file, the attack chain is initiated, leveraging a known vulnerability in Microsoft Excel—CVE-2018-0802. This vulnerability resides in the Microsoft Equation Editor (EQNEDT32.EXE) and allows for remote code execution. Despite being identified and patched in 2018, this flaw remains a viable attack vector due to unpatched systems.
The crafted Excel file contains an embedded Object Linking and Embedding (OLE) object designed to auto-load upon opening. This object exploits CVE-2018-0802, leading to the execution of shellcode embedded within the document. The shellcode’s primary function is to download and execute additional malicious payloads, thereby escalating the attack.
Infection Mechanism and Payload Delivery
Once the vulnerability is exploited, the shellcode initiates the download of a malicious HTML Application (HTA) file from a remote server. This HTA file is saved to the %APPDATA% directory and executed using the ShellExecuteExW function. The execution of the HTA file marks a transition from document-based exploitation to script-based execution, allowing the attacker to blend malicious activities with legitimate Windows processes.
The obfuscated HTA file runs under mshta.exe, a legitimate Windows utility for executing HTA files. It then executes a Base64-encoded PowerShell payload designed to download an image file from a Cloudinary URL. This image file, named optimized_MSI_lpsd9p.jpg, contains a hidden .NET module embedded between specific markers labeled BaseStart and BaseEnd. The use of steganography to conceal malicious code within an image file is a technique that helps evade detection by traditional security solutions.
The extracted .NET module, masquerading under the assembly name Microsoft.Win32.TaskScheduler, operates entirely in memory. This fileless execution strategy avoids leaving a detectable footprint on the system’s disk, thereby reducing the likelihood of detection by antivirus software.
Execution of XWorm RAT
The in-memory .NET loader decodes a reversed Base64 URL to retrieve another file named wwa.txt from a remote server. This file contains the XWorm payload, which is reconstructed in memory and injected into a newly created instance of Msbuild.exe through a technique known as process hollowing. Process hollowing involves creating a new process in a suspended state, unmapping its memory, and replacing it with malicious code before resuming the process. This method allows the malware to run under the guise of a legitimate process, further evading detection.
Once executed, XWorm decrypts its configuration settings and establishes a connection to a command-and-control (C2) server located at berlin101[.]com on port 6000. The communication between the infected system and the C2 server is encrypted using the Advanced Encryption Standard (AES), ensuring that the data exchanged remains confidential and resistant to interception.
Implications and Recommendations
The deployment of XWorm through this sophisticated phishing campaign poses significant risks, including unauthorized access to sensitive information, potential data exfiltration, and the possibility of further malware deployment. The use of legitimate processes and fileless execution techniques makes detection and mitigation challenging.
To defend against such threats, organizations and individuals are advised to implement the following measures:
1. Patch Management: Ensure that all systems are up-to-date with the latest security patches, particularly those addressing known vulnerabilities like CVE-2018-0802.
2. Email Security: Deploy advanced email filtering solutions to detect and block phishing attempts. Educate employees on recognizing phishing emails and the dangers of opening unsolicited attachments.
3. Application Control: Restrict the execution of potentially dangerous file types, such as .XLAM and .HTA files, especially if they are received via email.
4. Process Monitoring: Implement monitoring solutions to detect unusual process behaviors, such as the execution of mshta.exe or PowerShell scripts initiated by Office applications.
5. Network Security: Monitor network traffic for connections to known malicious domains and IP addresses. Implement intrusion detection and prevention systems to identify and block suspicious activities.
6. User Education: Conduct regular cybersecurity awareness training to inform users about the latest phishing tactics and the importance of cautious behavior when handling emails and attachments.
By adopting a comprehensive and proactive security posture, organizations can enhance their resilience against sophisticated malware campaigns like the one deploying XWorm RAT.
