HomeCII/OTMicrosoft's Follina Bug Resurfaces in Cyberattacks Targeting Travel Organizations Using Memes

Microsoft’s Follina Bug Resurfaces in Cyberattacks Targeting Travel Organizations Using Memes

Published on

spot_img

An ongoing cyber attack campaign has been using last year’s Follina remote code execution (RCE) vulnerability to deposit the XWORM remote access trojan (RAT) and data-stealer to targets primarily in the hospitality industry. The MEME#4CHAN campaign, as it has been dubbed, was broken down by researchers from Securonix on May 12. The campaign begins with a phishing email that appears to be hospitality-related, with a Microsoft Word document attached that continues the theme, such as “Details for booking.docx.”

Once the intended victim clicks on the attached document, they’re presented with a dialogue box asking them if they want to update that document with data from the linked files, regardless of whether they answer “yes” or “no”, a Word document is opened containing stolen images of a French driver’s license and debit card. The MEME#4CHAN campaign uses Follina to download an obfuscated Powershell script once the victim opens the Word document. The script contains various memes and uninspiring jokes, and various other methods to obfuscate the threat.

A Swiss Army knife of a RAT, XWORM does RAT things such as checking for antivirus, and communicating with a command and control server while also containing espionage features such as accessing a device’s microphone and camera, keylogging, and even causing follow-on attacks like distributed denial of service (DDoS) or ransomware. A few XWORM versions, including a leaked 3.1 version, have appeared online in recent months. The individual who published the 3.1 code to GitHub described the malware as “sh*tty.”

It is still unclear who is behind the attack, but evidence adds color and cloudiness to the attribution picture. Several variables in the code reference Indian cultural touchpoints, indicating either that the hacker is of Indian origin, or familiar enough with Indian culture to fake it. The Securonix researchers note that the attack methodology is similar to that of TA558, a cybercriminal gang that has previously targeted the hospitality industry. However, the researchers added that “TA558 also typically uses a wide range of C2 campaign artifacts and payloads similar, but not positively in line with what we witnessed through the MEME#4CHAN campaign.”

It is recommended that to avoid becoming potential victims, organizations should avoid opening any unexpected attachments, watch out for malicious file hosting websites, and implement log anomaly detection and application whitelisting. It is also advised not to underestimate the risk from a RAT as, even though XWORM has been called “sh*tty,” it can still cause considerable harm.

Source link

Latest articles

AI Isn’t Bridging the Skills Gap — It’s Highlighting the Validation Gap

AI and Cybersecurity: A Growing Concern Amidst Rapid Deployment The advent of artificial intelligence (AI)...

PHP TLS Vulnerability Allows Remote Server to Cause DoS and Crash the Entire FPM Process

A newly disclosed high-severity vulnerability, tracked as CVE-2026-12184, has emerged in PHP, presenting a...

7 Common Pitfalls to Avoid in Cyber Risk Assessment

Understanding the Risks: Beyond Compliance in Cybersecurity In the realm of cybersecurity, effective communication of...

Gaslight Stealer Uses Fake System Messages to Deceive AI Malware Analysts

Emergence of Gaslight: A New macOS Stealer from North Korean Operators A new malware variant,...

More like this

AI Isn’t Bridging the Skills Gap — It’s Highlighting the Validation Gap

AI and Cybersecurity: A Growing Concern Amidst Rapid Deployment The advent of artificial intelligence (AI)...

PHP TLS Vulnerability Allows Remote Server to Cause DoS and Crash the Entire FPM Process

A newly disclosed high-severity vulnerability, tracked as CVE-2026-12184, has emerged in PHP, presenting a...

7 Common Pitfalls to Avoid in Cyber Risk Assessment

Understanding the Risks: Beyond Compliance in Cybersecurity In the realm of cybersecurity, effective communication of...