XFiles Info-stealing Malware Adds Support for Follina Delivery
The XFiles info-stealer malware has added a delivery module that exploits CVE-2022-30190, aka Follina, for dropping the payload on target computers.
In the case of the XFiles malware, researchers at Cyberint noticed that recent campaigns delivering the malware use Follina to download the payload, execute it, and also create persistence on the target machine.
This results in the fetching of a base64-encoded string that contains PowerShell commands to create persistence in the Windows startup directory and execute the malware.
The second-stage module uses the filename “ChimLacUpdate.exe” and includes a hardcoded encrypted shellcode and AES decryption key. It’s decrypted and executed in the same running process via an API call.
After the infection process has been completed, XFiles begins typical info-stealer malware operations like targeting cookies, passwords, and history stored in web browsers, cryptocurrency wallets, taking screenshots, and looking for Discord and Telegram credentials.
The files are stored locally in newly-created directories and eventually exfiltrated via Telegram, taking advantage of the anonymity in the communications platform.
Cyberint has been following the ‘XFiles Reborn’ operation for a while and notes that the group behind it has expanded by recruiting new members and launching new projects.
One notable recruitment was that of the author of the ‘Whisper Project’, an info-stealer that was quickly gaining traction in the cybercrime underground but was suddenly discontinued when the creator joined XFiles.
One of the new projects launched by the group earlier this year is called the ‘Punisher Miner’, advertised as a highly evasive and stealthy miner supporting Monero, Toncoin, and Ravecoin.
The new mining tool is sold for 500 rubles ($9), which is as much as XFiles charges for one month of renting the info-stealer.
In conclusion, the gang appears to be growing bigger and more prolific, recruiting talented malware authors to offer their users more “ready to deploy” tools that don’t require experience or coding knowledge.
Incorporating the Follina-exploiting document reduces the infection friction and increases the rate of successful attacks.