XWorm 7.2 Malware Hidden in JPEG Files Exploits Excel Vulnerability to Hijack PCs
Sophisticated Phishing Campaign Targets Windows Users with XWorm RAT
A sophisticated phishing campaign is underway, targeting Windows users with a malicious Excel file that exploits a known vulnerability to deliver the XWorm 7.2 Remote Access Trojan (RAT).
Attack Vector
The attack begins with a socially engineered email, often disguised as a mundane business message, such as a payment review or signed bank document. These emails typically contain an Excel attachment that, when opened, exploits the CVE-2018-0802 vulnerability. This triggers a hidden script that uses PowerShell to execute the malware.
XWorm Malware Capabilities
The XWorm malware employs a technique called process hollowing, where it starts a legitimate Windows program, Msbuild.exe, pauses it, and replaces its internal code with the malware. This allows the malware to masquerade as a trusted system tool, evading antivirus software. The malware then connects to a control server at berlin101.com using port 6000 and AES encryption to steal sensitive data, including Wi-Fi keys, passwords, and browser cookies.
Experts warn that XWorm is highly dangerous due to its modular design, which enables hackers to add over 50 plugins to expand its capabilities. These plugins allow the malware to spy on users via their webcam, log keystrokes, and even launch DDoS attacks. Furthermore, XWorm has built-in features for ransomware, making it a formidable threat.
Expert Insights
Industry experts note that the danger lies in the campaign’s ordinariness, with hackers using well-known techniques to devastating effect. Shane Barney, Chief Information Security Officer at Keeper Security, comments that the campaign’s “clean execution chain built from components we’ve all seen before” makes it particularly striking. Jason Soroko, Senior Fellow at Sectigo, adds that the hackers’ confidence in using legacy Office exploit paths is worrying, as it demonstrates the continued effectiveness of these tactics.
Defending Against the Threat
To defend against this threat, users are advised to keep their software updated and exercise caution when opening unexpected attachments. The campaign’s reliance on social engineering tactics highlights the importance of user awareness and education in preventing these types of attacks.
About Author
English