An ongoing cyber attack campaign has been using last year’s Follina remote code execution (RCE) vulnerability to deposit the XWORM remote access trojan (RAT) and data-stealer to targets primarily in the hospitality industry. The MEME#4CHAN campaign, as it has been dubbed, was broken down by researchers from Securonix on May 12. The campaign begins with a phishing email that appears to be hospitality-related, with a Microsoft Word document attached that continues the theme, such as “Details for booking.docx.”
Once the intended victim clicks on the attached document, they’re presented with a dialogue box asking them if they want to update that document with data from the linked files, regardless of whether they answer “yes” or “no”, a Word document is opened containing stolen images of a French driver’s license and debit card. The MEME#4CHAN campaign uses Follina to download an obfuscated Powershell script once the victim opens the Word document. The script contains various memes and uninspiring jokes, and various other methods to obfuscate the threat.
A Swiss Army knife of a RAT, XWORM does RAT things such as checking for antivirus, and communicating with a command and control server while also containing espionage features such as accessing a device’s microphone and camera, keylogging, and even causing follow-on attacks like distributed denial of service (DDoS) or ransomware. A few XWORM versions, including a leaked 3.1 version, have appeared online in recent months. The individual who published the 3.1 code to GitHub described the malware as “sh*tty.”
It is still unclear who is behind the attack, but evidence adds color and cloudiness to the attribution picture. Several variables in the code reference Indian cultural touchpoints, indicating either that the hacker is of Indian origin, or familiar enough with Indian culture to fake it. The Securonix researchers note that the attack methodology is similar to that of TA558, a cybercriminal gang that has previously targeted the hospitality industry. However, the researchers added that “TA558 also typically uses a wide range of C2 campaign artifacts and payloads similar, but not positively in line with what we witnessed through the MEME#4CHAN campaign.”
It is recommended that to avoid becoming potential victims, organizations should avoid opening any unexpected attachments, watch out for malicious file hosting websites, and implement log anomaly detection and application whitelisting. It is also advised not to underestimate the risk from a RAT as, even though XWORM has been called “sh*tty,” it can still cause considerable harm.