Report of Infection Chain XLoader Abuses PDF, MS and Equation Editor Released

Industry: N/A | Level: Tactical | Source: Cyble

Cyble researchers have provided a report detailing an infection chain for XLoader information-stealing malware. The malware is often distributed through a spam email containing a PDF document with an embedded XLSX file. To manipulate the victim into accepting the Adobe prompt, the attackers cleverly named the file as “has been verified. However PDF, JPG, Docx, .xlsx” to trick the user into thinking the file name was part of Adobe's warning prompt. When the XLSX document executes, the RTF document downloads and exploits Microsoft Word’s equation editor vulnerability (CVE-2017-11882) to download and execute the downloaded malware. The XLoader malware was developed with stealthy techniques as identified by Cyble "The malware uses the steganography technique to hide malicious content in the compressed bitmap image embedded in the resource of the parent malware file." When the malware receives all its necessary payloads, it initiates process injection and creates persistence to the autorun registry key. In the malware's final stage, it collects credentials and data of interest to exfiltrate to the attacker's command and control server.

Anvilogic Scenario:

• XLoader Abuses PDF, MS and Equation Editor

Anvilogic Use Cases:

• Executable Process from Suspicious Folder
• Executable File Written to Disk
• New AutoRun Registry Key