• Sat. Oct 14th, 2023

Unusual Phishing Campaign Uses Memes as Virus Variables, MEME#4CHAN

Avatar photo

ByEsme Greene

Jul 24, 2023
Unusual Phishing Campaign Uses Memes
Esme Greene
Latest posts by Esme Greene (see all)

Security professionals have found a fresh scam in which the XWorm malware is being distributed to target computers by means of an innovative chain of assaults.

The majority of the assaults, according to CompanySecuronix, which tracks this malicious activity under the handle “MEME#4CHAN,” were made against hospitals and manufacturing facilities in Germany. According to the researchers’ assessment, “as part of this operation, the attackers used unusual PowerShell code filled with memes and heavily obfuscated XWorm virus to infect its victims.”

Experts claim that MEME#4CHAN assaults start with phishing emails that contain phony Microsoft Word documents that take advantage of a Windows vulnerability CVE-2022-30190 to load the PowerShell script that was encrypted.

Unusual Names 

The researchers discovered several variables with pretty intriguing and strange names, clearly referencing a foreign meme culture, when analyzing this PowerShell script. The names of several variables were as follows:

  • $CHOTAbheem (title of an Indian animated series)
  • $Colaburbumbum
  • $NuclearDefusion 
  • $MEME2026 
  • $Pentagon
  • $Shakalakaboomboom
  • $Sexybunbun 

The attackers launched the.NET-binary containing XWorm after bypassing AMSI, turning off Microsoft Defender, setting persistence on the target machine, and using the aforementioned PowerShell script to do so.

The Serious Threat?

The commercial virus known as XWorm, which is marketed on anonymous forums, contains a variety of tools for stealing private data from infected hosts. The program’s functionality is also considerably increased by the ability to download new payloads, turning it into a type of Swiss knife for cybercriminals.

Who is Behind the Campaign?

The attack’s perpetrator or group may be of Middle Eastern or Indian origin, according to early verification, the experts added, though this has not yet been proven.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.