A phishing campaign called MEME#4CHAN has been identified by researchers, specifically targeting manufacturing firms and healthcare clinics in Germany. This campaign employs meme-filled PowerShell code and obfuscated payloads as a means to deliver the XWorm malware. The attacks involve the use of phishing emails containing deceptive Microsoft Word documents that exploit the Follina vulnerability, allowing for the delivery of an obfuscated PowerShell script. This script bypasses security measures, disables Microsoft Defender, establishes persistence, and initiates the XWorm malware.
Within the PowerShell script, certain keywords suggest a potential Middle Eastern/Indian origin of the attackers, although conclusive attribution has not yet been established. XWorm is a widely available malware with diverse capabilities, including data theft, DDoS attacks, ransomware operations, USB spreading, and the deployment of additional malware. The origins of the threat actor remain unidentified, but the attack methodology bears similarities to TA558, a group previously known for targeting the hospitality industry. The researchers emphasize the ongoing importance of remaining vigilant against malicious document files, even with macros disabled by default in Microsoft Office.
Relevant URL: https://thehackernews.com/2023/05/xworm-malware-exploits-follina.html