![]() ![]() The XWorm payload is "heavily obfuscated, adding an extra layer of complexity to its analysis. "The campaign used URLs pointing to scripts and PowerShell code to download and execute additional payloads as well as to establish persistence," researchers Pratik Pachpor and Adarsh S said. The findings come as Trellix disclosed details of another XWorm campaign propagated via social engineering emails with PDF, DOCX and RTF attachments masquerading as invoices and purchase orders in attacks aimed at service, transport, and healthcare sectors in the U.S., South Korea, Germany, Austria, and Saudi Arabia. "The C2 server's traffic report reveals Europe and North America as the primary targets of this malicious campaign." "The combination of XWorm and Remcos creates a formidable trojan with an array of malicious functionalities," Lin said. The PowerShell script, besides loading the injector, is configured to run another executable, which functions as a dropper by contacting a remote server to fetch the SYK Crypter containing the encrypted Remcos RAT malware. More than 100 million people use GitHub to discover, fork, and contribute to over 330 million projects. The fact that a three-month-old program is already being weaponized in attacks symbolizes the rapid adoption of offensive tools by malicious actors to meet their goals. To associate your repository with the crypter-fud topic, visit your repo's landing page and select 'manage topics.' GitHub is where people build software. In the final stage, the injected shellcode is decrypted to execute the XWorm remote access trojan and harvest sensitive data, such as machine information, screenshots, and keystrokes, and remotely control the compromised device. Unlike most RATs used by malicious actors however. Like other RATs, Remcos gives the threat actor full control over the infected system and allows them to capture keystrokes, screenshots, credentials, or other sensitive system information. The findings from Fortinet are no different in that the files are camouflaged as PDF files but are actually LNK files that execute a PowerShell script to launch the Rust-based injector, while displaying a decoy PDF document. Remcos is often delivered via malicious documents or archive files containing scripts or executables.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |