Cybersecurity researchers have uncovered a new phishing campaign named MEME#4CHAN that targets manufacturing firms and healthcare clinics in Germany, according to Securonix. The attacks use a meme-filled PowerShell code to deliver XWorm malware to targeted systems.
The campaign begins with phishing attacks, and instead of using macros, the Follina vulnerability is exploited to drop an obfuscated PowerShell script.
Threat actors then use this script to bypass the Antimalware Scan Interface (AMSI), disable Microsoft Defender, establish persistence, and launch the .NET binary containing XWorm. The origins of the threat actor are currently unclear, but they could have a Middle Eastern/Indian background, the researchers said.
XWorm malware is a commodity malware that is advertised for sale on underground forums. It comes with a wide range of features that allow it to siphon sensitive information from infected hosts.
The malware can also perform clipper, DDoS, and ransomware operations, spread via USB, and drop additional malware. The attack methodology shares artifacts similar to that of TA558, which has been observed striking the hospitality industry in the past.
The researchers point out that such keywords as “$CHOTAbheem” used in the PowerShell script could be used as a cover. The researchers caution that it is still important to be vigilant about malicious document files, especially in cases where there was no VBscript execution from macros, despite phishing emails rarely using Microsoft Office documents since Microsoft disabled macros by default.
The cybersecurity firm Elastic Security Labs had previously identified reservation-themed lures to deceive victims into opening malicious documents capable of delivering XWorm and Agent Tesla payloads.
The current phishing campaign is noteworthy for its use of a meme-filled PowerShell code and the Follina vulnerability instead of macros, highlighting the importance of continuous vigilance against evolving cyberthreats.
