Security professionals have found a fresh scam in which the XWorm malware is being distributed to target computers by means of an innovative chain of assaults.
The majority of the assaults, according to CompanySecuronix, which tracks this malicious activity under the handle “MEME#4CHAN,” were made against hospitals and manufacturing facilities in Germany. According to the researchers’ assessment, “as part of this operation, the attackers used unusual PowerShell code filled with memes and heavily obfuscated XWorm virus to infect its victims.”
Experts claim that MEME#4CHAN assaults start with phishing emails that contain phony Microsoft Word documents that take advantage of a Windows vulnerability CVE-2022-30190 to load the PowerShell script that was encrypted.
The researchers discovered several variables with pretty intriguing and strange names, clearly referencing a foreign meme culture, when analyzing this PowerShell script. The names of several variables were as follows:
- $CHOTAbheem (title of an Indian animated series)
The attackers launched the.NET-binary containing XWorm after bypassing AMSI, turning off Microsoft Defender, setting persistence on the target machine, and using the aforementioned PowerShell script to do so.
The Serious Threat?
The commercial virus known as XWorm, which is marketed on anonymous forums, contains a variety of tools for stealing private data from infected hosts. The program’s functionality is also considerably increased by the ability to download new payloads, turning it into a type of Swiss knife for cybercriminals.
Who is Behind the Campaign?
The attack’s perpetrator or group may be of Middle Eastern or Indian origin, according to early verification, the experts added, though this has not yet been proven.