Cybercriminals are now weaponizing seemingly legitimate invoice emails to deploy the sophisticated XWorm remote-access trojan (RAT). This insidious malware operates stealthily in the background, allowing attackers to steal valuable login credentials, passwords, and sensitive personal files from infected systems. The latest attack vector exploits the unsuspecting nature of users who expect to receive payment notifications, making it a highly effective tactic in the ongoing battle against cyber threats.
The XWorm campaign begins with phishing emails that appear to be routine payment notifications. These messages, often impersonating account officers, prompt recipients to review processed invoices. However, the attached Visual Basic Script (.vbs) file, when opened, immediately executes malicious code without any visible warnings. This silent operation makes XWorm particularly dangerous, as victims may not realize their systems have been compromised until significant damage has occurred. Once active, XWorm grants attackers extensive control over the infected machine, enabling keystroke logging, user surveillance, personal data theft, and the potential deployment of further threats like ransomware.
Hackers Weaponizing Invoices to Deploy XWorm Malware
The current wave of attacks cleverly leverages outdated technology to bypass modern security defenses. By using Visual Basic Script attachments, threat actors exploit file types that are rarely seen in legitimate business communications today. This makes the malicious invoices stand out less to automated email security systems, which often flag or block .vbs files due to their potential for direct code execution. However, when these attachments evade initial filters, they can lead to severe consequences.
Malwarebytes security analysts have identified the malicious attachment as Backdoor.XWorm. This threat operates under a malware-as-a-service (MaaS) model, where cybercriminals can rent or purchase access to the infrastructure used for maintaining backdoor connections and collecting stolen data. This business model significantly lowers the barrier to entry for less technically adept attackers, enabling them to launch complex campaigns and escalating the overall threat landscape for both individuals and organizations.
Infection Mechanism and Execution Flow of XWorm
The infection chain, while starting with a simple email, quickly escalates through multiple stages of obfuscation. The initial .vbs file contains a large volume of heavily disguised code designed to create another file on the compromised system. This subsequent batch file then copies itself to the user’s profile directory, adopting the name `aoc.bat`. This ensures malware persistence, allowing it to survive even if temporary files are cleared.
A clever technique employed by the attackers involves a self-execution loop within the batch file. It checks for the existence of a specific variable. If the variable is not present, the script restarts itself in a minimized window, running completely invisibly to the user while the original process terminates. This helps to mask the initial stages of the infection.
Within the batch file, attackers use padding techniques with redundant variables. These dummy variables serve no functional purpose other than to obfuscate the code and confuse analysis tools and security researchers. After removing this padding, fundamental commands become visible, including instructions for file manipulation, reading encoded data, and initiating PowerShell scripts.
The batch file conceals two payload sections disguised as commented-out lines. These sections actually contain encrypted malware data. The final stage of the attack is executed by a PowerShell script. This script reads the hidden payloads from `aoc.bat`, decrypts them using AES encryption with a hardcoded key, and then decompresses the data using GZip. This process results in two executable files that load directly into memory without ever being written to disk. This fileless execution technique is highly effective at bypassing traditional antivirus software that relies on signature-based detection.
During sandbox analysis, researchers identified a unique mutex identifier, `5wyy00gGpG6LF3m6`. This identifier is recognized by the cybersecurity community as belonging to the XWorm malware family, confirming the nature of the threat and enabling appropriate classification and defensive measures. The ongoing weaponization of invoices and the adaptability of malware like XWorm underscore the need for continuous vigilance and updated security protocols for businesses and individuals alike.