A FortiGuard Labs investigation has revealed a new phishing campaign that exploits an old vulnerability to deploy the XWorm Remote Access Trojan (RAT) via malicious Excel files. The attack uses an attached Excel add-in (.XLAM) and targets victims with business-themed lures in emails that claim a “Virus detected” message.
When opened, the Excel file leverages CVE-2018-0802 in the Microsoft Equation Editor to trigger a hidden chain of events, downloading an HTA file that runs a PowerShell script, which in turn retrieves a JPEG image containing a hidden, fileless .NET module embedded in the image data. According to FortiGuard Labs, this payload never writes to a local file and stays resident in memory, employing process hollowing to inject the XWorm payload into Msbuild[.]exe to mask activity behind a trusted Windows component.
The XWorm version 7.2 then communicates with its C2 server using AES-encrypted packets and offers a broad range of capabilities, including remote control of input devices, camera and microphone access, data theft, ransomware actions and the ability to launch DDoS attacks, supported by over 50 plugins. The report highlights how the fileless technique helps evade traditional antivirus scanners.