Context:
The campaign analyzed by Fortinet describes a multi-stage infection chain delivering the XWorm remote access trojan (RAT) through themed phishing emails. Attackers use a variety of lures, including financial documents, invoices, and business-related communications, to increase the likelihood of user interaction. These emails contain malicious attachments that rely on social engineering to convince victims to open them, initiating the infection process.
Once the attachment is executed, it triggers a sequence of script-based actions (e.g., batch or PowerShell), which are used to stage and execute the final payload. The use of scripting and obfuscation techniques helps the attackers evade detection and complicate analysis. The final payload, XWorm, is deployed on the compromised system and establishes persistence to ensure continued access.
After successful execution, XWorm communicates with its command-and-control (C2) infrastructure over web protocols, enabling attackers to remotely control the infected system and collect sensitive data. The malware supports data collection capabilities, including system and potentially user-related information, which can be exfiltrated through the same C2 channel.
Mitre ATT&CK Mapping
| Tactic |
Technique ID |
Technique Name |
Context |
| Initial Access |
T1566.001 |
Spearphishing Attachment |
The infection begins with phishing emails containing malicious attachments themed as financial or business documents to lure users into opening them. |
| Execution |
T1204.002 |
User Execution: Malicious File |
The victim manually opens the malicious attachment, triggering the infection chain. |
| Execution |
T1059 |
Command and Scripting Interpreter |
The attachment executes scripts (e.g., batch or PowerShell) to stage and deliver the next payload. |
| Execution |
T1106 |
Native API |
The XWorm payload is executed on the system, enabling attacker control. |
| Persistence |
T1547.001 |
Registry Run Keys / Startup Folder |
The malware establishes persistence by adding itself to autorun locations on the system. |
| Discovery |
T1082 |
System Information Discovery |
XWorm gathers system-related information from the infected host. |
| Credential Access |
T1555 |
Credentials from Password Stores |
XWorm is capable of collecting sensitive data, including credentials and browser-stored information, from the infected system. |
| Command and Control |
T1071.001 |
Application Layer Protocol: Web Protocols |
The malware communicates with its C2 infrastructure over HTTP/HTTPS to receive commands and transmit data. |
| Exfiltration |
T1041 |
Exfiltration Over C2 Channel |
Collected data is exfiltrated through the established C2 communication channel. |
References
https://www.fortinet.com/blog/threat-research/deep-dive-into-new-xworm-campaign-utilizing-multiple-themed-phishing-emails
Context:
The campaign analyzed by Fortinet describes a multi-stage infection chain delivering the XWorm remote access trojan (RAT) through themed phishing emails. Attackers use a variety of lures, including financial documents, invoices, and business-related communications, to increase the likelihood of user interaction. These emails contain malicious attachments that rely on social engineering to convince victims to open them, initiating the infection process.
Once the attachment is executed, it triggers a sequence of script-based actions (e.g., batch or PowerShell), which are used to stage and execute the final payload. The use of scripting and obfuscation techniques helps the attackers evade detection and complicate analysis. The final payload, XWorm, is deployed on the compromised system and establishes persistence to ensure continued access.
After successful execution, XWorm communicates with its command-and-control (C2) infrastructure over web protocols, enabling attackers to remotely control the infected system and collect sensitive data. The malware supports data collection capabilities, including system and potentially user-related information, which can be exfiltrated through the same C2 channel.
Mitre ATT&CK Mapping
References
https://www.fortinet.com/blog/threat-research/deep-dive-into-new-xworm-campaign-utilizing-multiple-themed-phishing-emails