FortiGuard Labs observed a phishing campaign delivering a new XWorm RAT variant via malicious Excel attachments that exploit CVE-2018-0802 to execute an HTA which runs JScript/PowerShell, loads a fileless .NET module, and deploys XWorm into Msbuild.exe via process hollowing. XWorm v7.2 communicates with AES-encrypted C2 servers (example: berlin101.com:6000), supports a modular plugin architecture and extensive control commands enabling full remote control, data exfiltration, DDoS, and ransomware capabilities. #XWorm #MicrosoftWindows
Keypoints
- Phishing emails with business-themed lures delivered malicious Excel add-in (.XLAM) attachments that attempted to exploit victims who opened the file.
- The Excel file contained an embedded OLE object that exploited CVE-2018-0802 in EQNEDT32.EXE to execute shellcode which downloaded and executed an HTA file.
- The HTA ran obfuscated JScript that decoded and executed a Base64 PowerShell payload which retrieved a JPEG containing a Base64-encoded, fileless .NET module.
- The .NET module (disguised as Microsoft.Win32.TaskScheduler) decoded a URL, downloaded a Base64 PE (XWorm), and performed process hollowing to inject XWorm into a newly created Msbuild.exe process.
- XWorm v7.2 is a .NET-based RAT providing AES-encrypted C2 communications, a wide set of control commands, and a plugin system of >50 .NET modules for extended capabilities.
- Fortinet protections (FortiMail, FortiGuard Web Filtering, IPS, AntiVirus, FortiOS CDR) detect and block elements of the campaign, including the exploit, HTA, image payload, and in-memory XWorm artifacts.
MITRE Techniques
- [T1566.001 ] Spearphishing Attachment – Phishing emails delivered malicious Excel attachments to targeted users to trick them into opening the file. (‘phishing emails delivering a malicious Excel attachment’)
- [T1203 ] Exploitation for Client Execution – The embedded OLE object exploited CVE-2018-0802 in EQNEDT32.EXE to execute embedded shellcode. (‘CVE-2018-0802 is a remote code execution vulnerability … EQNEDT32.EXE parses the object, triggering the vulnerability and executing the embedded shellcode.’)
- [T1218.005 ] Mshta (Signed Script Proxy Execution) – The shellcode downloaded an HTA and executed it with mshta.exe to run JScript that launched PowerShell. (‘The HTA file executes JScript code when loaded by mshta.exe’ and ‘The shellcode calls the ShellExecuteExW() API … execute the downloaded HTA file’)
- [T1059.001 ] PowerShell – The HTA contained a Base64-encoded PowerShell payload which decoded, downloaded a JPEG with an embedded .NET module, and executed the module in memory. (‘The apochromatic variable contains a Base64-encoded PowerShell payload, which is decoded and executed at runtime.’)
- [T1105 ] Ingress Tool Transfer – The attack downloads multiple remote components (HTA, JPEG with embedded module, and wwa.txt containing the Base64 PE) from external URLs. (‘download an HTA file from retrodayaengineering[.]icu/HGG.hta’ and ‘decoded URL is hxxps://pub-3bc1de741f8149f49bdbafa703067f24[.]r2[.]dev/wwa.txt’)
- [T1055.012 ] Process Hollowing – The .NET module created a suspended Msbuild.exe process and used VirtualAllocEx/WriteProcessMemory/SetThreadContext/ResumeThread to inject and run the XWorm payload. (‘inject and execute the XWorm payload within a newly created Msbuild.exe process’)
- [T1573 ] Encrypted Channel – XWorm protects C2 communications using AES encryption for packet payloads before transmission to the C2 server. (‘XWorm encrypts network traffic using the AES algorithm’)
Indicators of Compromise
- [URL ] Download and staging locations used by the campaign – hxxps://retrodayaengineering[.]icu/HGG.hta, hxxps://res[.]cloudinary[.]com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg (and hxxp://pub-3bc1de741f8149f49bdbafa703067f24[.]r2[.]dev/wwa.txt)
- [Domain / C2 ] Command-and-control server host and port – berlin101[.]com:6000 (C2 server for XWorm communications)
- [File Hash (SHA-256) ] Samples associated with the campaign – EE663D016894D44C69B1FDC9D2A5BE02F028A56FC22B694FF7C1DACB2BBBCC6D (XLAM sample), EACD8E95EAD3FFE2C225768EF6F85672C4BFDF61655ED697B97F598203EF2CF6 (XWorm payload) and 2 more hashes
- [File Name ] Notable filenames and saved artifacts – VA5.hta (downloaded HTA saved as %APPDATA%VA5.hta), optimized_MSI_lpsd9p.jpg (image containing embedded .NET module)