A new phishing campaign is actively distributing an updated variant of the XWorm Remote Access Trojan (RAT), a malware that grants cybercriminals extensive control over infected Microsoft Windows systems. First identified in 2022, XWorm remains a readily accessible tool for threat actors, frequently traded on Telegram-based marketplaces, contributing to its persistent use in ongoing attacks.
The latest observed campaign employs sophisticated social engineering tactics, using business-themed email lures. These meticulously crafted messages present urgent scenarios such as payment detail reviews, purchase orders, or signed shipment documents, aiming to entice recipients into opening malicious Excel add-in (.XLAM) attachments. This tactic bypasses common email security filters and preys on legitimate business workflows.
Understanding the XWorm RAT: Evolving Threats and Attack Vectors
According to Fortinet researchers who identified and documented this campaign, the infection chain is designed for rapid execution and evasion. Upon opening the malicious Excel attachment, the attack chain proceeds directly to in-memory malware delivery by exploiting a critical vulnerability. This bypasses traditional file-based detection methods, significantly increasing the risk of account theft, sensitive data loss, and enabling hands-on keyboard access for attackers.
The campaign leverages CVE‑2018‑0802, a known remote code execution flaw within Microsoft’s Equation Editor (EQNEDT32.EXE). This vulnerability, despite being old, continues to be exploited in real-world attacks due to organizations failing to apply necessary patches. Fortinet’s analysis revealed that a crafted Excel file contains an embedded Object Linking and Embedding (OLE) object configured to auto-load. When the file is opened, this triggers the execution of malicious shellcode.
The Infection Mechanism Detailed
Once the CVE‑2018‑0802 vulnerability is triggered, the initial shellcode performs a critical function: downloading a malicious HTA (HTML Application) file from a compromised domain, specifically retrodayaengineering[.]icu. This HTA file is saved to the user’s %APPDATA% directory with the name VA5.hta and is then executed using the ShellExecuteExW function. This transition from exploiting document vulnerabilities to executing script-based code helps the malware blend in with normal Windows system activity during the payload staging phase.
The obfuscated HTA file then runs under the legitimate mshta.exe process. It subsequently drops a Base64-encoded PowerShell payload. This payload fetches an image file, allegedly containing optimized_MSI_lpsd9p.jpg, from a Cloudinary URL. Hidden within this image is a .NET module, discernible between “BaseStart” and “-BaseEnd” markers. The loader module is strategically disguised with an assembly name mimicking legitimate system components, such as Microsoft.Win32.TaskScheduler, and operates entirely in memory, further avoiding on-disk detection.
Following this, the in-memory .NET loader decodes a reversed Base64 URL to retrieve another component, wwa.txt, from a specified domain, pub-3bc1de741f8149f49bdbafa703067f24[.]r2[.]dev. This component is then used to reconstruct the actual XWorm RAT payload in memory. The RAT is subsequently injected into a newly spawned Msbuild.exe process using a technique known as process hollowing. After successful execution, the XWorm RAT decrypts its configuration, establishes a connection to a command-and-control server at berlin101[.]com on port 6000, and encrypts all communication using AES encryption.
Security experts recommend immediate action to mitigate the risks associated with this campaign. Prioritizing the patching of the CVE‑2018‑0802 vulnerability in Microsoft Equation Editor is paramount. Additionally, organizations should implement stricter controls on the execution of .XLAM and HTA files, enhance security policies governing the use of mshta.exe, PowerShell, and Msbuild.exe, and establish detection rules for the identified malicious domains and URLs. Continuous monitoring and timely security updates are crucial to staying ahead of evolving threats like the XWorm RAT.