FortiGuard researchers uncover multi-stage infection chain ending in full remote compromise
Security researchers at FortiGuard have identified a new phishing campaign distributing an updated version of the XWorm Remote Access Trojan (RAT). Active since 2022 and widely sold in underground Telegram markets, XWorm provides full remote control over infected Windows systems.
This latest campaign demonstrates a highly structured infection chain — beginning with a simple email and ending with complete device compromise.
Stage 1: Business-Themed Phishing Email
The campaign uses legitimate-looking business emails, commonly themed around:
- Payment review requests
- Purchase orders
- Banking documents
- Shipping confirmations
The attachment is delivered as an Excel Add-in file (.XLAM). Once opened, the infection sequence begins.
Stage 2: Exploiting CVE-2018-0802
The malicious file contains an embedded OLE object exploiting CVE-2018-0802, a vulnerability in Microsoft Equation Editor.
Execution chain:
- Launches EQNEDT32.EXE
- Executes shellcode
- Downloads an HTA file
- Initiates PowerShell execution
Despite being an older vulnerability, it continues to be actively weaponized in current campaigns.
Stage 3: Fileless Execution
The HTA file contains obfuscated JScript that:
- Decodes a Base64 payload
- Downloads a seemingly benign JPG image
- Extracts a hidden .NET module embedded within the image
The payload is unpacked directly in memory without writing to disk.
It then uses Process Hollowing to inject XWorm into Msbuild.exe — a legitimate Windows process frequently abused due to its .NET runtime compatibility.
Command and Control Communication
Upon execution, the malware sends a registration packet encrypted with AES to its C2 server:
berlin101[.]com:6000
The data collected includes:
- Username
- Operating system version
- RAM details
- GPU information
- Installed antivirus
- Administrative privileges
- Presence of a camera
Capabilities of XWorm 7.2
The observed variant, UD_XWormClient 7.2, supports:
- Credential and cookie theft
- Keylogging
- Webcam and microphone access
- Ransomware functionality
- DDoS operations
- Plugin-based modular expansion (50+ modules)
- Rootkit and bootkit features
- Windows Defender disabling
- Full file system and registry control
Plugins are stored in the Windows Registry and executed on demand, reinforcing its modular design.
Why This Campaign Is Significant
This operation demonstrates:
- Fileless execution techniques
- Exploitation of legacy vulnerabilities
- Process Hollowing for evasion
- AES-encrypted C2 traffic
- Modular architecture for scalability
XWorm is no longer a basic commodity RAT — it functions as a full-featured post-exploitation framework.
Defensive Measures
Fortinet reports that:
- FortiMail detects related emails as malicious
- Updated antivirus signatures are available
- Web filtering and IPS block malicious URLs
- Content Disarm, and Reconstruction (CDR) neutralizes embedded OLE objects
Conclusion
The campaign reinforces several persistent realities in cyber defence:
- Old vulnerabilities remain effective attack vectors
- Phishing continues to be the primary entry point
- Fileless and memory-resident techniques complicate detection
For organizations running Windows environments, a single phishing email may initiate a full compromise chain.