Securonix Threat Labs Security Advisory: Latest Update: Ongoing MEME#4CHAN Attack/Phishing Campaign uses Meme-Filled Code to Drop XWorm Payloads

MITRE Techniques

• [T1566.001] Phishing – The MEME#4CHAN campaign typically begins with a phishing email. “The MEME#4CHAN typically begins with a phishing email.”
• [T1566] Phishing – Phishing emails attach documents such as “Details for booking.docx” used to deliver the payload. “The attack chain begins with the phishing email samples… The email attachment is a single Microsoft Word document file named “Details for booking.docx”.”
• [T1204.002] User Execution: Malicious File – The attachment prompts user interaction and leads to code execution. “The email attachment is a single Microsoft Word document file named “Details for booking.docx”… When opened, a prompt to the user appears before any content is displayed asking the user if they want to update the document with externally linked files.”
• [T1059.001] Command and Scripting Interpreter: PowerShell – Stage 2: PowerShell execution describes semi-obfuscated PowerShell code used to drop the final payload. “The PowerShell that gets executed at this stage is semi-obfuscated and contains quite a few functions…”
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – WScript.shell is used to execute decoded payloads within Windows scripting context. “The script above leverages the WScript.shell COM object… to execute the $NuclearDefusion variable…”
• [T1059.007] Command and Scripting Interpreter: JavaScript – A heavily obfuscated JScript one-liner is decoded and executed as part of the drop chain. “a hugely obfuscated JScript one-liner…”
• [T1204.001] User Execution: Malicious Link – External resources are fetched from links embedded in the document and atom.xml payloads. “two links to external resources.”
• [T1027.010] Obfuscated Files or Information: Command Obfuscation – The PowerShell and subsequent scripts are heavily obfuscated to hinder analysis. “semi-obfuscated” and “heavily obfuscated .NET binaries…”
• [T1055.009] Process Injection: Proc Memory – Final payloads are injected into RegSvcs.exe or Msbuild.exe via in-memory execution. “in-memory execution using .NET assemblies via reflection.”
• [T1620] Reflective Code Loading – The payloads are loaded reflectively into memory before execution. “[Reflection.Assembly]::Load…Invoke…”
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence by writing decoded scripts to disk and placing them where startup processes run. “persistence is established by writing the obfuscated JScript code to disk and saving it as… in the startup directory.”
• [T1053] Scheduled Task/Job – A scheduled task EscanDissldo is created to run the dropped script periodically. “A scheduled task is then created called EscanDissldo…”
• [T1573.001] Encrypted Channel: Symmetric Cryptography / T1573.001 – The C2 channel uses HTTP POST communications to remote servers. “It establishes a connection to a remote HTTP server using a POST request…”
• [T1105] Ingress Tool Transfer – The drop chain downloads and fetches PowerShell code/assets from web resources. “Downloads a file and executes it using Process.Start(filename).” (contextual reference to file delivery via web resources)
• [T1571] Non-Standard Port – C2 infrastructure includes non-standard ports like 3000. “212.87.204[.]83:3000” and “Port3000newspm.duckdns[.]org”
• [T1041] Exfiltration Over C2 Channel – C2 communications can be used to exfiltrate data over the established channel. (Referenced concept in C2/Exfil context in the article)