Fortinet researchers have uncovered a new phishing campaign delivering the XWorm remote access trojan (RAT) by chaining a years-old Microsoft Office vulnerability with fileless execution techniques to evade detection.
The Attack Chain
The campaign uses business-themed phishing emails with malicious Excel add-ins that exploit CVE-2018-0802, a memory corruption flaw in Microsoft Office’s Equation Editor that was patched back in 2018. Despite being nearly seven years old, this vulnerability continues to be successfully exploited in the wild—a stark reminder of the patching gaps that still exist across organizations.
Once the initial payload executes, the attack chain progresses through HTA and PowerShell-based execution, keeping much of the malicious activity off disk and in memory to avoid traditional detection methods.
Fileless Techniques and Process Hollowing
What makes this campaign particularly concerning is its use of fileless techniques:
- A .NET stage loads directly into memory
- Process hollowing into msbuild.exe (a legitimate Microsoft build tool)
- AES-encrypted C2 communications
- Plugin-based modularity for expanded capabilities
The choice of msbuild.exe as the injection target is strategic—it’s a legitimate .NET-capable binary that helps the malware blend into normal system activity while meeting its runtime requirements.
XWorm’s Capabilities
Once deployed, XWorm provides attackers with extensive control over compromised systems, including:
- System control (shutdown, restart, uninstall, update)
- File download and execution
- Plugin loading for modular expansion
- Screenshot capture
- Keylogging
- DDoS capabilities
- Credential theft and data exfiltration
Key Takeaway for Defenders
This campaign underscores a critical reality: sophisticated attacks don’t require novel techniques. As security expert Shane Barney noted, “The sophistication isn’t in the novelty, it’s in the assembly.”
Organizations should prioritize:
- Patch management — Legacy vulnerabilities like CVE-2018-0802 remain viable attack surfaces
- Script execution policies — Restrict PowerShell and HTA execution where possible
- Behavioral detection — Monitor for suspicious msbuild.exe activity and process injection
- Email security — Filter malicious attachments before they reach users
Source: CSO Online
