Privacy Ninja

XFiles Info-stealing Malware Adds Support for Follina Delivery

XFiles Info-stealing Malware Adds Support for Follina Delivery

The XFiles info-stealer malware has added a delivery module that exploits CVE-2022-30190, aka Follina, for dropping the payload on target computers.

The flaw, discovered as a zero-day at the end of May and fixed with Microsoft’s Windows update on June 14, enables the execution of PowerShell commands simply by opening a Word document.

In the case of the XFiles malware, researchers at Cyberint noticed that recent campaigns delivering the malware use Follina to download the payload, execute it, and also create persistence on the target machine.

Exploiting Follina

The malicious document, which most likely reaches the target via spam email, contains an OLE object pointing to an HTML file on an external resource that contains JavaScript code exploiting Follina.

Also Read: Top 5 Importance Of Website Maintenance Singapore

JavaScript code exploiting CVE-2022-30190
JavaScript code exploiting CVE-2022-30190 (Cyberint)

This results in the fetching of a base64-encoded string that contains PowerShell commands to create persistence in the Windows startup directory and execute the malware.

The second-stage module uses the filename “ChimLacUpdate.exe” and includes a hardcoded encrypted shellcode and AES decryption key. It’s decrypted and executed in the same running process via an API call.

The resulting shellcode
The resulting shellcode (Cyberint)

After the infection process has been completed, XFiles begins typical info-stealer malware operations like targeting cookies, passwords, and history stored in web browsers, cryptocurrency wallets, taking screenshots, and looking for Discord and Telegram credentials.

XFile logs accessed via the panel
XFile logs accessed via the malware’s panel (Cyberint)

The files are stored locally in newly-created directories and eventually exfiltrated via Telegram, taking advantage of the anonymity in the communications platform.

Stealer's working directory on the host
Stealer’s working directory on the host (Cyberint)

XFiles expanding

Cyberint has been following the ‘XFiles Reborn’ operation for a while and notes that the group behind it has expanded by recruiting new members and launching new projects.

XFiles Reborn operation main page
XFiles Reborn operation main page (Cyberint)

One notable recruitment was that of the author of the ‘Whisper Project’, an info-stealer that was quickly gaining traction in the cybercrime underground but was suddenly discontinued when the creator joined XFiles.

One of the new projects launched by the group earlier this year is called the ‘Punisher Miner’, advertised as a highly evasive and stealthy miner supporting Monero, Toncoin, and Ravecoin.

Also Read: 13 Special Skills To Become a Front End Developer Singapore

Punisher Miner promotional page
Punisher Miner promotional page (Cyberint)

The new mining tool is sold for 500 rubles ($9), which is as much as XFiles charges for one month of renting the info-stealer.

In conclusion, the gang appears to be growing bigger and more prolific, recruiting talented malware authors to offer their users more “ready to deploy” tools that don’t require experience or coding knowledge.

Incorporating the Follina-exploiting document reduces the infection friction and increases the rate of successful attacks.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us