Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft Follina Bug Is Back in Meme-Themed Cyberattacks Against Travel Orgs

A two-bit comedian is using a patched Microsoft vulnerability to attack the hospitality industry, and really laying it on thick along the way.

DARKReading
#vulnerability#web#mac#microsoft#ddos#dos#git#backdoor#rce#auth

A threat actor is exploiting last year’s Follina (RCE) remote code execution vulnerability to deploy the XWORM remote access trojan (RAT) and data-stealer against targets in the hospitality industry.

On May 12, researchers from Securonix broke down the campaign, which uses Follina to drop Powershell code onto target machines, which is rife with various 4Chan and meme references. Thus, the researchers refer to the campaign as “MEME#4CHAN,” due to the amorphous line it draws between stealth and internet humor.

The MEME#4CHAN Attack Flow

MEME#4CHAN attacks begin with a phishing email, with a hospitality hook in the subject line — something like “Reservation for Room.” Attached will be a Microsoft Word document furthering the theme, such as “Details for booking.docx.”

Once a victim clicks on the document, they’re presented with a dialogue box: “This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?” But regardless of whether they click “Yes” or “No,” a Word document opens, containing stolen images of a French driver’s license and debit card.

The choice of a .docx file is notable. Hackers often used to use malicious macros in Office files to gain a foothold in a target machine, which isn’t as effective of a tactic now that Microsoft decided to block macros from Internet files by default.

Without that option, MEME#4CHAN instead turns to Follina. Follina (CVE-2022-30190) is an RCE vulnerability that carries a “high” CVSS score of 7.8. It allows attackers to create specially-crafted Microsoft Word files that trick Microsoft’s Diagnostic Support Tool into downloading and executing malicious code from an attacker-controlled server. The bug was disclosed and patched a year ago.

Through Follina, MEME#4CHAN downloads an obfuscated Powershell script once the Word document is opened. The script is notable for its labored references, memes, and uninspiring jokes. The author laments at multiple points “why my ex left me,” for example, and gives directories, variables, and functions such names as “mememan,” “shakalakaboomboom,” and “stepsishelpme.”

The jokes might be considered a unique stealth tactic, designed to instantly repel any researcher of good taste. But Securonix researchers noted that the attack uses other more traditional obfuscation as well.

In fact, the researchers found variables in the Powershell code ranging from "semi-" to “heavily” obfuscated they said, including a “heavily obfuscated” .NET binary which, once decoded, revealed itself as the XWORM RAT.

“The relative amount of effort invested into obfuscation and covertness is higher than for the similar attacks we observed,” says Oleg Kolesnikov, vice president of threat research and detection at Securonix, “and it is not yet clear why.”

What Is XWORM?

XWORM is a bit of a Swiss Army knife of a RAT.

On one hand, it does RAT things — checking for antivirus, communicating with a command-and-control (C2) server, opening a backdoor to a machine, and creating an autorun entry to ensure persistence across restarts.

At the same time, it comes replete with espionage features, including capabilities for accessing a device’s microphone and camera, and keylogging; and it can instigate follow-on attacks like distributed denial of service (DDoS) or even ransomware.

That said, the malware is of dubious quality, some note.

Multiple iterations of XWORM have been leaked online in recent months, including a 3.1 version just last month. The individual who published the 3.1 code to GitHub didn’t appear to hold it in high regard.

“There are so many sh*tty Rat [sic], XWorm is one of them. I’m sharing it so that you don’t pay for such things for nothing,” the person wrote in a README file.

“Compared to some of the other similar underground attack tools for which source code was leaked recently,” Kolesnikov judges, “XWORM does appear to have arguably somewhat less advanced capabilities, though [it’s usefulness] often depends on the specific capability [required]. It depends on how the malicious threat actors use the tool as part of an attack.”

Which Cybercriminals Are Behind MEME#4CHAN?

According to the researchers, it’s likely the author behind MEME#4CHAN is English-speaking, due to all the 4Chan references in their code.

Dark Reading also independently observed several variables in the code referencing Indian cultural touchpoints, indicating either that the hacker is of Indian origin, or familiar enough with Indian culture to fake it.

Taking further evidence into account adds color and cloudiness to the attribution picture. “The attack methodology is similar to that of TA558, a cybercriminal gang, where phishing emails were delivered targeting the hospitality industry,” the Securonix researchers explained.

He added, however, that “TA558 also typically uses a wide range of C2 campaign artifacts and payloads similar, but not positively in line with what we witnessed through the MEME#4CHAN campaign.”

Whoever’s behind it, it doesn’t appear that this campaign is over with, as several of its associated C2 domains are still active.

The researchers recommended that to avoid becoming potential victims, organizations should avoid opening any unexpected attachments, watch out for malicious file hosting websites, and implement log anomaly detection and application whitelisting.

Related news

RomCom RAT Targeting NATO and Ukraine Support Groups

The threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the upcoming NATO Summit in Vilnius as well as an identified organization supporting Ukraine abroad. The findings come from the BlackBerry Threat Research and Intelligence team, which found two malicious documents submitted from a Hungarian IP address on July 4, 2023. RomCom, also tracked under the names

Woody RAT: A new feature-rich malware spotted in the wild

The Malwarebytes Threat Intelligence team has discovered a new Remote Access Trojan that we dubbed Woody Rat used to target Russian entities. The post Woody RAT: A new feature-rich malware spotted in the wild appeared first on Malwarebytes Labs.

Microsoft Patch Tuesday June 2022: Follina RCE, NFSV4.1 RCE, LDAP RCEs and bad patches

Hello everyone! This will be an episode about the Microsoft vulnerabilities that were released on June Patch Tuesday and also between May and June Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239094 On June Patch Tuesday, June 14, 56 vulnerabilities were released. Between May and June Patch Tuesdays, 38 vulnerabilities were released. This gives us 94 […]

Russian Hackers Exploiting Microsoft Follina Vulnerability Against Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) has cautioned of a new set of spear-phishing attacks exploiting the "Follina" flaw in the Windows operating system to deploy password-stealing malware. Attributing the intrusions to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks commence with a lure document titled "Nuclear Terrorism

Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine

Threat actors associated with Russian intelligence are using the fear or nuclear war to spread data-stealing malware in Ukraine. The post Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine appeared first on Malwarebytes Labs.

Researchers Warn of Unpatched "DogWalk" Microsoft Windows Vulnerability

An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild. The issue — referenced as DogWalk — relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a

State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S

A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office "Follina" vulnerability to target government entities in Europe and the U.S. Enterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked CVE-2022-30190 (CVSS score: 7.8). No less than 1,000 phishing messages

FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day

FAQ for the new Follina zero-day vulnerability. What you can do to protect your computers right now. The post FAQ: Mitigating Microsoft Office’s ‘Follina’ zero-day appeared first on Malwarebytes Labs.

Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack

Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.

Microsoft Office MSDT Follina Proof Of Concept

Proof of concept for the remote code execution vulnerability in MSDT known as Follina.

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the … Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Read More »

Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability

UPDATE July 12, 2022: As part of the response by Microsoft, a defense in depth variant has been found and fixed in the Windows July cumulative updates. Microsoft recommends installing the July updates as soon as possible. Windows Version Link to KB article LInk to Catalog Windows 8.1, Windows Server 2012 R2 5015805 Download Windows Server 2012 5015805 Download Windows 7, Windows Server 2008 R2 5015805 Download Windows Server 2008 SP2 5015805 Download On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.

DARKReading: Latest News

Apple Urgently Patches Actively Exploited Zero-Days