The Follina remote code execution (RCE) vulnerability is being exploited in a new cyberattack campaign targeting the hospitality industry. The threat actor is using the vulnerability to deploy the XWORM remote access trojan (RAT) and data-stealer against their targets. Researchers from Securonix have analyzed the campaign, which utilizes Follina to deliver Powershell code filled with 4Chan and meme references. As a result, the researchers have dubbed the campaign 'MEME#4CHAN' due to its combination of stealth and internet humor.
The MEME#4CHAN attacks start with a phishing email that has a hospitality-related subject line, such as 'Reservation for Room.' The email contains an attached Microsoft Word document with a title like 'Details for booking.docx.' When a victim opens the document, they are presented with a dialogue box that asks if they want to update the document with data from linked files. Regardless of whether the victim clicks 'Yes' or 'No,' a Word document containing stolen images of a French driver's license and debit card opens. The use of a .docx file is significant, as hackers previously used malicious macros in Office files to infiltrate target machines. However, since Microsoft now blocks macros from Internet files by default, MEME#4CHAN relies on the Follina vulnerability instead.
Follina (CVE-2022-30190) is a high-risk RCE vulnerability with a CVSS score of 7.8. It allows attackers to create specially-crafted Microsoft Word files that deceive Microsoft's Diagnostic Support Tool into downloading and executing malicious code from an attacker-controlled server. The bug was disclosed and patched a year ago. Through Follina, the MEME#4CHAN campaign downloads an obfuscated Powershell script when the Word document is opened. The script is filled with labored references, memes, and uninspiring jokes. Securonix researchers noted that the jokes serve as a unique stealth tactic, but the attack also employs more traditional obfuscation methods.
The researchers discovered variables in the Powershell code that ranged from 'semi-' to 'heavily' obfuscated. A 'heavily obfuscated' .NET binary was decoded to reveal the XWORM RAT. XWORM is a versatile RAT with capabilities such as checking for antivirus, communicating with a command-and-control (C2) server, opening a backdoor to a machine, and creating an autorun entry for persistence across restarts. It also has espionage features, including accessing a device's microphone and camera, keylogging, and the ability to launch follow-on attacks like distributed denial of service (DDoS) or ransomware.
The malware's quality is questionable, as multiple versions of XWORM have been leaked online recently. The individual who published the 3.1 code to GitHub did not hold it in high regard, stating in a README file, 'There are so many sh*tty Rat [sic], XWorm is one of them. I'm sharing it so that you don't pay for such things for nothing.' The attack methodology is similar to that of TA558, a cybercriminal gang known for targeting the hospitality industry. However, the researchers could not definitively link the MEME#4CHAN campaign to TA558. The campaign is still active, and organizations are advised to avoid opening unexpected attachments, be cautious of malicious file hosting websites, and implement log anomaly detection and application whitelisting.