[MART] - Daily Diary #543 - XFiles Abuses the Follina Vulnerability

[CTAS-MAT]

Hello,

I hope everyone is doing well!

Below is the entry for today.

07/01/2022 - Diary entry #543:

XFiles is an information stealer written in C# and advertised on hacking forums that use Telegram as its Command & Control. Recently, the XFiles authors added a new delivery module that exploits the CVE-2022-30190 vulnerability (also known as Follina) to start the infection process.

Follina (covered in our Daily Diary #539) is exploited by XFiles via malicious Office documents disseminated via spam. Once executed, it delivers an OLE object that points to an external resource, that executes a JavaScript code. Next, it results in a base64 encoded string containing PowerShell commands to create persistence in the Windows startup directory and to execute the malware. Once the infection process is complete, XFiles starts its data-stealing operations.

XFiles is one of the many malware that delivers malicious code through Office documents. We recommend organizations to always keep their office solutions up-to-date (preferably using O365 online to manipulate documents) and to train employees to not open suspicious documents disseminated through SPAM.

Kind Regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220701/7657e60f/attachment.htm>