Threat Research

XWorm spread in Italy through a fake Namirial invoice

Italy-Cert-agid

Summary:

The CERT-AGID has identified a malicious campaign distributing the XWorm RAT trojan through deceptive emails masquerading as official communications from Namirial. The emails contain a password-protected PDF that lures victims into downloading a ZIP file from Dropbox, which initiates a chain of compromise leading to the installation of various malware, including XWorm.

Keypoints:

  • Malicious campaign targeting users with XWorm RAT trojan.
  • Emails disguised as official communications from Namirial.
  • Password-protected PDF serves as bait for victims.
  • ZIP file download initiates malware installation process.
  • Utilizes TryCloudflare for creating temporary tunnels to local servers.
  • Final payload includes various RATs, notably XWorm.

    • MITRE Techniques

  • Phishing (T1566): Utilizes deceptive emails to trick users into downloading malicious files.
  • Exploitation of Remote Services (T1210): Leverages TryCloudflare to create tunnels for malicious traffic.
  • Command and Control (T1071): Uses Cloudflare to maintain communication with compromised systems.
  • Obfuscated Files or Information (T1027): Employs BatchShield to obfuscate BAT files, complicating detection.
  • Malware (T1203): Downloads and executes various RATs, including XWorm, from compromised sources.

    • 10/25/2024

    Email used for the XWorm RAT campaign

    The CERT-AGID has detected a malicious campaign aimed at distributing the XWorm RAT trojan, disseminated through fake emails disguised as official communications from provider Namirial.

    The email, written in Italian, invites the user to view an attached PDF document and, in case the file does not open correctly, suggests using an alternative link present in the body of the message.

    Password-protected PDF

    In reality, the PDF file acts as bait, as it is password-protected. This leads the victim to click on the only available alternative link that initiates the download of a ZIP archive, hosted on Dropbox, containing a URL file. From here, the chain of compromise begins.

    The URL file exploits the TryCloudflare feature, which allows attackers to create temporary tunnels to local servers and test the service without needing a Cloudflare account. Each tunnel generates a random subdomain on the trycloudflare.com domain, used to route traffic through the Cloudflare network to the local server.

    File on TryCloudflare

    The URL file then proceeds to download a BAT file, obfuscated using the BatchShield tool. This can be easily deobfuscated using a specific tool called BatchShield decryptor.

    Obfuscated BAT
    Deobfuscated BAT

    At this point, the procedure is well-known, having already been observed in previous campaigns. Another ZIP archive containing the Python interpreter is downloaded, which is used to execute the malicious scripts already included in the archive. This process leads to the release of one of the following malware: AsyncRAT, DCRat, GuLoader, VenomRAT, Remcos RAT, or, as in the current case, XWorm.

    Indicators of Compromise

    In order to make public the details of today’s campaign, the following IoCs have been detected:

    Link: Download IoC

    Source: Original Post

    Tags: EMAIL, PASSWORD, TROJAN, TOOL, PAYLOAD, PHISHING