The XFiles infostealer malware has added a new flaw in its system to exploit Follina (CVE-2022-30190) and infect targeted computers with malicious payloads. A cybersecurity solutions provider has observed that new malware uses Follina to download the payload, execute it, and establish persistence on the target computer.
 

Follina is infected in what way?

  • The malware, which was delivered in the victim's spam email, includes an OLE object that points to an HTML file on an external resource that contains JavaScript code. This code exploits Follina.
  • When the code is executed, it retrieves a base64-encoded string containing PowerShell commands to create persistence in the Windows startup directory and execute the malware.
  • The second-stage module, "ChimLacUpdate.exe," has a hardcoded encrypted shellcode and an AES decryption key. An API call decrypts it and executes it in the same running process.
  • Following infection, XFiles begins typical infostealer malware operations such as targeting cookies, passwords, and history stored in web browsers, cryptocurrency wallets, taking screenshots, and looking for Discord and Telegram credentials.
  • The files are stored locally in newly created directories before being exfiltrated via Telegram.
 

Beware - the XFiles is expanding

  • A cybersecurity solutions provider has noted that the XFiles has expanded by recruiting new members and launching new projects.
  • A  project launched by the group earlier this year is called the ‘Punisher Miner’.
  • The irony is that a new mining tool costs $9, which is similar to how much XFiles charges for one month of renting the infostealer.
 

Conclusion

It appears that the XFiles gang is expanding and becoming more prolific. The gang is recruiting talented malware authors, becoming stronger, and thus providing their users with more readymade tools that do not require experience or coding knowledge. Successful incorporation of the Follina-exploiting document increases the chances of infection and consequently increases the success rate of attacks.
Cyware Publisher

Publisher

Cyware