A recent report from Securonix sheds light on a new cyberattack, dubbed ‘MEME#4CHAN,’ which targets the hospitality industry. The campaign is launched via phishing emails, where attackers use the subject line “Reservation for Room,” and attach a Microsoft Word document with a payload containing the XWORM, a Remote Access Trojan (RAT), and data-stealer. The bad actors are leveraging last year’s Follina remote code execution vulnerability (CVE-2022-30190) to download the malicious RAT, which allows them to access a device’s microphone, camera, and keylogger, or instigate further attacks such as distributed denial of service (DDoS) or ransomware.
The Word document opens once the victim clicks on the “Details for booking.docx” attachment. A dialogue box appears, either showing a prompt to update the document with data from previously linked files or not. When the user clicks either option, the Word document’s content opens, containing stolen images of a French driver’s license and debit card. The MEME#4CHAN malware campaign is “unique” due to its amorphous line between stealth and internet humor, according to researchers. The campaign is known for its various 4Chan and meme references, containing jokes with names such as “mememan,” “shakalakaboomboom,” and “stepsishelpme.”
Various variables in the PowerShell code utilized by MEME#4CHAN were “heavily” obfuscated, including the RAT once decoded, which revealed that the NET binary is XWORM. Although XWORM has been leaked several times online in recent months, multiple iterations of it exist, such as the 3.1 version uploaded to GitHub last month, which assessed by experts is of questionable quality.
Securonix said that it is probable that the authors of the MEME#4CHAN campaign are English-speaking individuals, given the various 4Chan references, but Indian cultural touchpoints were also observed in the code. Members of cybercriminal gang TA558 implement the same attack methodology, but Securonix reports that they use various C2 campaign artifacts and payloads, which differ from what was observed in the MEME#4CHAN campaign. Some C2 domains associated with the MEME#4CHAN campaign are still active.
The researchers recommended that organizations avoid opening any unexpected attachments, look out for malicious file hosting websites, and implement log anomaly detection and application whitelisting to avoid becoming potential victims.
<< photo by Michael Dziedzic >>
You might want to read !
- The Complexity of SaaS Security: Challenges Faced by High Tech Companies
- “Smart Meters: A New Vulnerability in the Electricity Grid for Hackers to Exploit”
- Innovative digital solutions promise to eradicate cybercrime, say researchers
- 11 New Vulnerabilities in Industrial Cellular Routers: A Potential Threat to OT Networks
- “Discord Data Breach: Examining the Impacts of Customer Support Provider’s Security Flaw”
- “Security Breach on SchoolDude: Brightly Software puts millions of users’ sensitive information at risk”
