The group behind the XFiles info-stealer malware has added a new delivery module for dropping their payload on to target computers. This new delivery module exploits CVE-2022-30190, also known as Follina, in an attempt to get as much auto-execution as possible on victim systems.
The malicious Word document, which is sent via phishing emails, contains an OLE object pointing to an HTML file on an external resource. This HTML file contains JavaScript code that exploits the Follina vulnerability when the Word document is opened. The Javascript fetches a base64-encoded string that contains PowerShell commands which download the XFiles payload, create persistence in the Windows startup directory, and then execute the malware. This second-stage payload contains encrypted shellcode and a hardcoded AES decryption key that it uses to decrypt the shellcode into the context of the running process. Once the shellcode is successfully executed, the info-stealing portion of the XFiles malware runs, targeting cookies, passwords, history stored in web browsers, Discord and Telegram credentials, and cryptocurrency wallets. These files are stored in newly created directories on the system and eventually exfiltrated to the threat actor via Telegram.
The XFiles Reborn operation has been steadily gaining members and expanding their operations and tooling. Beyond the XFiles info-stealing malware, they also advertise a malware known as the “Punisher Miner,” which is claimed to be a highly evasive and stealthy cryptocurrency miner supporting Monero, Toncoin, and Ravecion. This mining tool is being sold for 500 rubles ($9), which is the equivalent of one month usage of the XFiles stealer.
Analyst Notes
It is highly recommended to patch all systems for the CVE-2022-30190 Follina vulnerability as soon as possible. More threat actors are deploying Follina as a delivery mechanism, due to the ease of exploitation and impact, so the risk associated with the vulnerability continues to rise. It is also important to maintain proper security endpoint controls, such as an EDR and logging mechanisms, on all systems to help prevent and detect malware. The XFiles malware uses commonly abused techniques that EDRs are likely to prevent outright. If prevention does not occur, there are a number of behaviors that can be detected and alerted upon. Word calling msdt.exe for the Follina exploit, suspicious files being added to the Windows startup directory, and the usage of certain API calls commonly abused by process injection are all behaviors that can be monitored. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.
Source:
