Keypoints
- Attackers sent Italian-language phishing emails impersonating Namirial to entice recipients to open an attached PDF.
- The attached PDF is password-protected and pushes victims to use an alternative link that downloads a ZIP archive from Dropbox.
- The downloaded ZIP contains a .url file that abuses the TryCloudflare service to create a temporary tunnel and resolve a random subdomain on trycloudflare.com.
- The tunnel-hosted payload fetches a BAT file obfuscated with BatchShield; a BatchShield decryptor can reverse the obfuscation.
- A follow-up ZIP delivers a Python interpreter and malicious scripts that install RATs; observed final payloads include XWorm and other RATs.
- CERT-AGID published a downloadable IoC JSON file documenting indicators tied to the campaign.
MITRE Techniques
- [T1566] Phishing – Uses deceptive emails to trick users into downloading malicious files (‘invites the user to view an attached PDF document and, in case the file does not open correctly, suggests using an alternative link present in the body of the message’).
- [T1210] Exploitation of Remote Services – Abuses TryCloudflare to create temporary tunnels that expose local services to the internet (‘exploits the TryCloudflare feature … allows attackers to create temporary tunnels to local servers’).
- [T1071] Command and Control – Routes traffic through Cloudflare-generated subdomains to communicate with compromised hosts (‘Each tunnel generates a random subdomain on the trycloudflare.com domain, used to route traffic through the Cloudflare network to the local server’).
- [T1027] Obfuscated Files or Information – Delivers a BAT file obfuscated with BatchShield to hinder analysis (‘download a BAT file, obfuscated using the BatchShield tool’).
- [T1203] Malware – Installs and executes remote access trojans and other malware, including XWorm (‘This process leads to the release of one of the following malware: AsyncRAT, DCRat, GuLoader, VenomRAT, Remcos RAT, or, as in the current case, XWorm’).
Indicators of Compromise
- [Domain] Tunnel/domain usage – trycloudflare.com (random subdomains on the trycloudflare.com domain used to route traffic).
- [Download/Artifact] IoC bundle – https://cert-agid.gov.it/wp-content/uploads/2024/10/xworm-namirial-25-10-2024.json (downloadable IoC list published by CERT-AGID).
- [File] Dropbox-hosted ZIP / .url file – ZIP archive hosted on Dropbox that contains a .url file which initiates the TryCloudflare tunnel (example: Dropbox-hosted ZIP containing the .url payload).
- [File] Obfuscated BAT – BAT script obfuscated with BatchShield (deobfuscatable with BatchShield decryptor linked in the report).
CERT-AGID observed a targeted campaign that spreads the XWorm remote access trojan by impersonating the digital services provider Namirial. The attack begins with an Italian-language email that appears to include a legitimate PDF attachment; because the PDF is password-protected, recipients are directed to an alternative download link embedded in the message. That link points to a Dropbox-hosted ZIP archive which contains a .url file. When executed, the .url file leverages the TryCloudflare feature to instantiate a temporary tunnel and produce a random subdomain on the trycloudflare.com domain, allowing attackers to proxy traffic to a local server without owning a Cloudflare account.
Through the established tunnel the victim fetches a BAT script that has been obfuscated with the BatchShield tool. CERT-AGID notes that the obfuscation can be reversed using an available BatchShield decryptor, revealing the commands used to continue the compromise. The revealed sequence downloads a second ZIP archive that bundles a Python interpreter together with prepackaged malicious scripts. Executing that interpreter runs the embedded scripts, which then install one of several remote access tools observed in prior campaigns. The report lists possible final payloads including AsyncRAT, DCRat, GuLoader, VenomRAT, Remcos RAT, and in this incident specifically XWorm.
To help defenders and incident responders, CERT-AGID published the collected indicators of compromise as a downloadable JSON file. The advisory highlights the use of trycloudflare-generated subdomains, the Dropbox-hosted ZIP and .url chain, the BatchShield-obfuscated BAT, and the final Python-based dropper that leads to RAT installation. Organizations should block suspicious trycloudflare subdomains, scrutinize emails claiming to be from Namirial, and treat password-protected attachments that push alternative download links as high-risk.
Read more: https://cert-agid.gov.it/news/xworm-diffuso-in-italia-tramite-falsa-fattura-namirial/