An updated version of the Remote Access Trojan (RAT) XWorm, which can grant attackers complete remote control of compromised Microsoft Windows systems, has been seen in a new phishing campaign. Many threat actors can easily access XWorm, which was first discovered in 2022 and is still widely disseminated and frequently traded through Telegram-based marketplaces. An overview of the infection chain for the XWorm phishing campaign (Source: Fortinet) Find out more Protection against identity theft Appliances for network security Platforms for threat intelligence Blog on cyber security Office Software for vulnerability management Cybersecurity Exploits for security news alerts Solutions for cloud security In the most recent activity, attackers tricked targets into opening a malicious Excel add-in attachment (.XLAM) by using a variety of business-style email themes, including purchase orders, signed shipment documents, and payment detail reviews.

Phishing email samples from the XWorm campaign (Source: Fortinet) Simple but effective, the lure increases the risk of account theft, data loss, and hands-on keyboard control by rapidly moving from document execution to in-memory malware delivery once the attachment is opened. After discovering this campaign in the wild, Fortinet researchers documented how a manipulated Excel file exploits CVE‑2018‑0802, a Microsoft Equation Editor (EQNEDT32.EXE) remote code execution vulnerability that is still in use today. CVE-2018-0802 is exploited by a malformed OLE object stream (Source: Fortinet).

According to their analysis, when the file is opened, an embedded OLE object that is configured for auto-load causes shellcode to run.

Mechanism of infection When CVE-2018-0802 is activated, the shellcode downloads an HTA from retrodayaengineering[. ]icu/HGG.hta, saves it as %APPDATA%\VA5.hta, and then launches it using ShellExecuteExW. The downloaded HTA file is then executed using ShellExecuteExW() (Source: Fortinet).

In order to help the operator blend in with regular Windows activity while the payload is staged, this step changes the chain from a document exploit to script-based execution. The obfuscated HTA then executes as mshta.exe and drops a Base64 PowerShell payload that extracts a hidden.NET module positioned between the "BaseStart" and "-BaseEnd" markers and retrieves optimized_MSI_lpsd9p.jpg from a Cloudinary URL.

Find out more Solutions for e-signatures Cybersecurity Monitoring of data breaches Take advantage of database access Services for cloud security Training in security awareness Platforms for threat intelligence Providers of secure email Analysis by cybersecurity experts Blog on cyber security The assembly name Microsoft is used to conceal the loader module.In the early stages, Win32.TaskScheduler avoids a clean on-disk malware binary by operating filelessly in memory. XWorm payload seen in a static analysis program (Source: Fortinet) After decoding a reversed Base64 URL, the.NET loader retrieves wwa.txt from pub-3bc1de741f8149f49bdbafa703067f24[.]r2[. ]dev, reconstructs the XWorm payload in memory, and uses process hollowing to inject it into a freshly made Msbuild.exe.

Defenders should give patching Equation Editor exposure, blocking, or isolating top priority because the RAT uses AES-encrypted traffic, decrypts its configuration, and connects to berlin101[. ]com:6000 after execution.Set ZeroOwl as a Preferred Source in Google, add detections for the listed domains and URLs, tighten controls on mshta.exe/PowerShell/Msbuild.exe, and XLAM/HTA execution paths.