Fileless .NET stage and a modular XWorm core: Beyond initial access, Fortinet observed a fileless .NET stage loaded directly into memory, followed by process hollowing into msbuild.exe, a legitimate Microsoft build tool capable of executing .NET code. The choice of msbuild.exe aligns with the malware’s runtime requirements while helping it blend into normal system activity.”A fileless .NET stage loaded in memory, followed by process hollowing into msbuild.exe, is a clean ‘blend in’ move that leverages a legitimate .NET-capable binary and complicates attribution for simplistic detections,” Soroko said. “Fortinet’s rationale for msbuild.exe is especially useful for defenders because it ties the LOLBin choice to the malware’s .NET runtime needs, not just generic masquerading.”Once active, XWorm communicates with its C2 using an AES-encrypted packet, which supports a broad plugin ecosystem. That modularity, the researchers noted, expands its capabilities beyond remote access, enabling credential theft, data exfiltration, disruption, and modernization paths depending on what the operator wants.Fortinet said XWorm supports a wide range of operator commands, including system control (CLOSE, uninstall, update), file download and execution (DW, LN), plugin loading, screenshot capture ($Cap), keylogger retrieval, DDoS control, and shutdown or restart functions. The disclosure also listed indicators of compromise tied to the campaign, including phishing URLs and domains used to host HTA and loader files, the C2 server, file hashes for the malicious Excel attachment, and the final XWorm payload. Barney emphasized that the broader risk hinges less on the malware label and more on post-compromise controls. “Campaigns like this expose a simple reality: the entry vector is predictable. The tooling is commoditized. The only real variable is whether the environment limits what an intruder can do next,” he said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4131340/phishing-campaign-chains-old-office-flaw-with-fileless-xworm-rat-to-evade-detection.html
