HomeCII/OTMicrosoft's Follina Bug Resurfaces in Cyberattacks Targeting Travel Organizations Using Memes

Microsoft’s Follina Bug Resurfaces in Cyberattacks Targeting Travel Organizations Using Memes

Published on

spot_img

An ongoing cyber attack campaign has been using last year’s Follina remote code execution (RCE) vulnerability to deposit the XWORM remote access trojan (RAT) and data-stealer to targets primarily in the hospitality industry. The MEME#4CHAN campaign, as it has been dubbed, was broken down by researchers from Securonix on May 12. The campaign begins with a phishing email that appears to be hospitality-related, with a Microsoft Word document attached that continues the theme, such as “Details for booking.docx.”

Once the intended victim clicks on the attached document, they’re presented with a dialogue box asking them if they want to update that document with data from the linked files, regardless of whether they answer “yes” or “no”, a Word document is opened containing stolen images of a French driver’s license and debit card. The MEME#4CHAN campaign uses Follina to download an obfuscated Powershell script once the victim opens the Word document. The script contains various memes and uninspiring jokes, and various other methods to obfuscate the threat.

A Swiss Army knife of a RAT, XWORM does RAT things such as checking for antivirus, and communicating with a command and control server while also containing espionage features such as accessing a device’s microphone and camera, keylogging, and even causing follow-on attacks like distributed denial of service (DDoS) or ransomware. A few XWORM versions, including a leaked 3.1 version, have appeared online in recent months. The individual who published the 3.1 code to GitHub described the malware as “sh*tty.”

It is still unclear who is behind the attack, but evidence adds color and cloudiness to the attribution picture. Several variables in the code reference Indian cultural touchpoints, indicating either that the hacker is of Indian origin, or familiar enough with Indian culture to fake it. The Securonix researchers note that the attack methodology is similar to that of TA558, a cybercriminal gang that has previously targeted the hospitality industry. However, the researchers added that “TA558 also typically uses a wide range of C2 campaign artifacts and payloads similar, but not positively in line with what we witnessed through the MEME#4CHAN campaign.”

It is recommended that to avoid becoming potential victims, organizations should avoid opening any unexpected attachments, watch out for malicious file hosting websites, and implement log anomaly detection and application whitelisting. It is also advised not to underestimate the risk from a RAT as, even though XWORM has been called “sh*tty,” it can still cause considerable harm.

Source link

Latest articles

The Evolving Role of the CISO as the Future CFO

The Pressing Question of Cybersecurity Assurance: Is the CISO Role Sustainable? In the fast-evolving landscape...

Why the Gentlemen Ransomware Challenges Identity and Recovery Controls

Emerging Threat: The Gentlemen Ransomware Group Targeting Enterprises Globally A recent report by cybersecurity firm...

Chinese Cyberespionage Targets University Roundcube Servers

Espionage Campaign Targets University Departments with Advanced Cyber Tactics A sophisticated cyber-espionage campaign has recently...

Visa Threat Platform Tackles Payment Fraud

Visa Launches Advanced Threat Intelligence Platform to Combat Payment Fraud In a significant move to...

More like this

The Evolving Role of the CISO as the Future CFO

The Pressing Question of Cybersecurity Assurance: Is the CISO Role Sustainable? In the fast-evolving landscape...

Why the Gentlemen Ransomware Challenges Identity and Recovery Controls

Emerging Threat: The Gentlemen Ransomware Group Targeting Enterprises Globally A recent report by cybersecurity firm...

Chinese Cyberespionage Targets University Roundcube Servers

Espionage Campaign Targets University Departments with Advanced Cyber Tactics A sophisticated cyber-espionage campaign has recently...