An ongoing phishing campaign known as MEME#4CHAN has been uncovered in the wild, which uses a peculiar attack chain to deliver XWorm malware to targeted systems. Den Iuzvyk, Tim Peck, and Oleg Kolesnikov of Securonix recently revealed that the campaign has been deploying meme-filled PowerShell code, followed by an obfuscated XWorm payload.
Their findings build on those of Elastic Security Labs, which noted the threat actor’s utilization of reservation-themed lures to fool victims into opening malicious documents that carry XWorm and Agent Tesla payloads. This campaign has primarily been targeting manufacturing companies and healthcare clinics located in Germany.
With the help of phishing attacks, the attackers use decoy Microsoft Word documents to exploit the Follina vulnerability (CVE-2022-30190) in order to drop an obfuscated PowerShell script.
More about the Follina Vulnerability
The Follina vulnerability is the name of a now-fixed zero-day in Microsoft Office that could be leveraged in arbitrary code execution attacks. The nao_sec research team uncovered the vulnerability after finding a Word Document that had been uploaded to VirusTotal from a Belarusian IP address. Follina was patched in June last year following a mitigation.
More about the XWorm Attack
It appears that the threat actor responsible for the XWorm malware attack could have a Middle Eastern/Indian background, as the PowerShell script used contains a variable titled “$CHOTAbheem”, which is a reference to an Indian animated comedy adventure television series.
XWorm is a commodity malware frequently found on underground forums, with a range of features that allow it to siphon sensitive information, as well as perform clipper, DDoS, and ransomware operations, spread via USB, and drop additional malware. This particular attack methodology shares artifacts similar to that of TA558, which has targeted the hospitality industry in the past. Despite Microsoft’s decision to disable macros by default in Microsoft Office documents, this case proves that it is still important to be wary of malicious document files.