The group behind the XFiles info-stealer malware has added a new delivery module for dropping their payload on to target computers. This new delivery module exploits CVE-2022-30190, also known as Follina, in an attempt to get as much auto-execution as possible on victim systems.

The malicious Word document, which is sent via phishing emails, contains an OLE object pointing to an HTML file on an external resource. This HTML file contains JavaScript code that exploits the Follina vulnerability when the Word document is opened. The Javascript fetches a base64-encoded string that contains PowerShell commands which download the XFiles payload, create persistence in the Windows startup directory, and then execute the malware. This second-stage payload contains encrypted shellcode and a hardcoded AES decryption key that it uses to decrypt the shellcode into the context of the running process. Once the shellcode is successfully executed, the info-stealing portion of the XFiles malware runs, targeting cookies, passwords, history stored in web browsers, Discord and Telegram credentials, and cryptocurrency wallets. These files are stored in newly created directories on the system and eventually exfiltrated to the threat actor via Telegram.

The XFiles Reborn operation has been steadily gaining members and expanding their operations and tooling. Beyond the XFiles info-stealing malware, they also advertise a malware known as the “Punisher Miner,” which is claimed to be a highly evasive and stealthy cryptocurrency miner supporting Monero, Toncoin, and Ravecion. This mining tool is being sold for 500 rubles ($9), which is the equivalent of one month usage of the XFiles stealer.