Ongoing phishing attacks have been distributing the XWorm malware through a novel attack chain involving the exploitation of the Follina vulnerability, tracked as CVE-2022-30190, and the use of a meme-filled PowerShell code, according to The Hacker News.
Such a campaign, which has been attributed to the MEME#4CHAN activity cluster, leverages Microsoft Word files using CVE-2022-30190, to facilitate the deployment of an obfuscated PowerShell script that is then exploited to evade anti-malware and Microsoft Defender scans and deploy the XWorm-containing .NET binary, a report from Securonix showed. Aside from featuring clipper, ransomware, and distributed denial-of-service attack capabilities, XWorm could also enable additional malware deployment and could be distributed through USB.
"Based on a quick check, it appears that the individual or group responsible for the attack could have a Middle Eastern/Indian background, although the final attribution has not yet been confirmed," said researchers, who also noted the attack method's similarities with TA558.