A threat actor is exploiting last year’s Follina (RCE) remote code execution vulnerability to deploy the XWORM remote access trojan (RAT) and data-stealer against targets in the hospitality industry.
On May 12, researchers from Securonix broke down the campaign, which uses Follina to drop Powershell code onto target machines, which is rife with various 4Chan and meme references. Thus, the researchers refer to the campaign as “MEME#4CHAN,” due to the amorphous line it draws between stealth and internet humor.
The MEME#4CHAN Attack Flow
MEME#4CHAN attacks begin with a phishing email, with a hospitality hook in the subject line — something like “Reservation for Room.” Attached will be a Microsoft Word document furthering the theme, such as “Details for booking.docx.”
Once a victim clicks on the document, they’re presented with a dialogue box: “This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?” But regardless of whether they click “Yes” or “No,” a Word document opens, containing stolen images of a French driver’s license and debit card.
The choice of a .docx file is notable. Hackers often used to use malicious macros in Office files to gain a foothold in a target machine, which isn’t as effective of a tactic now that Microsoft decided to block macros from Internet files by default.
Without that option, MEME#4CHAN instead turns to Follina. Follina (CVE-2022-30190) is an RCE vulnerability that carries a “high” CVSS score of 7.8. It allows attackers to create specially-crafted Microsoft Word files that trick Microsoft’s Diagnostic Support Tool into downloading and executing malicious code from an attacker-controlled server. The bug was disclosed and patched a year ago.
Through Follina, MEME#4CHAN downloads an obfuscated Powershell script once the Word document is opened. The script is notable for its labored references, memes, and uninspiring jokes. The author laments at multiple points “why my ex left me,” for example, and gives directories, variables, and functions such names as “mememan,” “shakalakaboomboom,” and “stepsishelpme.”
The jokes might be considered a unique stealth tactic, designed to instantly repel any researcher of good taste. But Securonix researchers noted that the attack uses other more traditional obfuscation as well.
In fact, the researchers found variables in the Powershell code ranging from “semi-” to “heavily” obfuscated they said, including a “heavily obfuscated” .NET binary which, once decoded, revealed itself as the XWORM RAT.
“The relative amount of effort invested into obfuscation and covertness is higher than for the similar attacks we observed,” says Oleg Kolesnikov, vice president of threat research and detection at Securonix, “and it is not yet clear why.”
What Is XWORM?
XWORM is a bit of a Swiss Army knife of a RAT.
On one hand, it does RAT things — checking for antivirus, communicating with a command-and-control (C2) server, opening a backdoor to a machine, and creating an autorun entry to ensure persistence across restarts.
At the same time, it comes replete with espionage features, including capabilities for accessing a device’s microphone and camera, and keylogging; and it can instigate follow-on attacks like distributed denial of service (DDoS) or even ransomware.
That said, the malware is of dubious quality, some note.
Multiple iterations of XWORM have been leaked online in recent months, including a 3.1 version just last month. The individual who published the 3.1 code to GitHub didn’t appear to hold it in high regard.
“There are so many sh*tty Rat [sic], XWorm is one of them. I’m sharing it so that you don’t pay for such things for nothing,” the person wrote in a README file.
“Compared to some of the other similar underground attack tools for which source code was leaked recently,” Kolesnikov judges, “XWORM does appear to have arguably somewhat less advanced capabilities, though [it’s usefulness] often depends on the specific capability [required]. It depends on how the malicious threat actors use the tool as part of an attack.”
Which Cybercriminals Are Behind MEME#4CHAN?
According to the researchers, it’s likely the author behind MEME#4CHAN is English-speaking, due to all the 4Chan references in their code.
Dark Reading also independently observed several variables in the code referencing Indian cultural touchpoints, indicating either that the hacker is of Indian origin, or familiar enough with Indian culture to fake it.
Taking further evidence into account adds color and cloudiness to the attribution picture. “The attack methodology is similar to that of TA558, a cybercriminal gang, where phishing emails were delivered targeting the hospitality industry,” the Securonix researchers explained.
He added, however, that “TA558 also typically uses a wide range of C2 campaign artifacts and payloads similar, but not positively in line with what we witnessed through the MEME#4CHAN campaign.”
Whoever’s behind it, it doesn’t appear that this campaign is over with, as several of its associated C2 domains are still active.
The researchers recommended that to avoid becoming potential victims, organizations should avoid opening any unexpected attachments, watch out for malicious file hosting websites, and implement log anomaly detection and application whitelisting.