Over the holiday season, a coordinated attack was detected and blocked by Microsoft Threat Intelligence security analysts, involving tens of thousands of emails crafted to deceive recipients.
The cybercriminal group known as Storm-0900 launched a large-scale phishing campaign, targeting users across the United States. The campaign exploited two main social engineering themes : fake parking ticket notifications and fraudulent medical test results.
Microsoft Threat Intelligence analysts and security researchers discovered that this campaign led to the spread of XWorm, a widespread modular remote access malware used by many threat actors across the cyber threat landscape.
In connection with the Thanksgiving holiday, attackers created a sense of credibility and urgency that lessened victims’ suspicions and increased the likelihood of users being implicated.
The campaign’s success relied on multiple layers of deception and technical sophistication. The phishing emails contained URLs that directed to an attacker-controlled landing page hosted on the malicious domain permit-service[.]top.
To enhance the deception, the attackers integrated interactive features to bypass security measures and further deceive users. Users were prompted to perform a specific action via a CAPTCHA, by dragging a slider, when accessing the landing page.
This step seemed legitimate to most users, but in reality it served to validate the target’s ability to interact and its susceptibility to malware distribution.
Once the user has successfully interacted with the phishing page, the compromised devices receive the malware, which would allow attackers to establish lasting control and access.
XWorm functions as a modular malware platform, meaning threat actors can load different plugins to perform various tasks on compromised devices.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
