Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts

SUMMARY :

A sophisticated malware campaign has been uncovered that utilizes various techniques to deliver Remote Access Trojans (RATs) such as XWorm and Remcos. The attack chain begins with a ZIP archive, often hosted on trusted platforms like ImgKit, containing obfuscated BAT scripts. These scripts execute PowerShell-based loaders that inject RAT payloads directly into memory, enabling fileless execution. The campaign also employs SVG files with embedded JavaScript to trigger the malware download, exploiting non-traditional file formats to evade detection. The infection process involves multiple stages, including persistence mechanisms, PowerShell script execution, and the use of loaders to decrypt and deploy the final payload. This evolving threat landscape highlights the need for advanced security measures to counter such sophisticated attacks.

OPENCTI LABELS :

powershell,rat,phishing,xworm,obfuscation,remcos,evasion techniques,bat scripts,svg,fileless execution


AI COMMENTARY :

1. Introduction A newly identified malware campaign is raising alarms within the cybersecurity community by combining innovative delivery methods and advanced evasion tactics to deploy Remote Access Trojans (RATs) including XWorm and Remcos. Observers have traced the initial infection vector to ZIP archives hosted on ostensibly trusted platforms such as ImgKit and distributed through phishing emails. By leveraging obfuscated BAT scripts and PowerShell-based loaders, the adversaries achieve seamless fileless execution, effectively bypassing traditional detection mechanisms and establishing a foothold within target environments.

2. Attack Vector and Delivery Mechanism The campaign begins with a meticulously crafted ZIP attachment arriving via phishing emails or downloadable links hosted on Content Delivery Networks (CDNs). Once extracted, the archive exposes a set of BAT scripts whose sole purpose is to invoke hidden PowerShell commands. These scripts appear innocuous at first glance but contain layers of obfuscation that thwart static analysis. The reliance on established services like ImgKit and CDNs serves to impart a veneer of legitimacy, increasing the likelihood that recipients will execute the archive without suspicion.

3. Obfuscated BAT Scripts and PowerShell Loaders At the heart of this operation are the obfuscated BAT scripts that chain into PowerShell. Upon execution, these scripts dynamically reconstruct loader code in memory, making direct disk-based detection nearly impossible. The PowerShell loader then proceeds to fetch additional payload components or decrypt embedded shellcode, injecting the final RATs into the host process. This technique not only streamlines the infection process but also capitalizes on the inherent trust placed in PowerShell by system administrators and scripting frameworks.

4. SVG Files with Embedded JavaScript Adding a creative twist, the threat actors exploit Scalable Vector Graphics (SVG) files as an alternate delivery vector. By embedding malicious JavaScript within the XML structure of the SVG, the campaign triggers the download of the BAT scripts when the file is viewed in a vulnerable browser or application. This non-traditional file format allows the attackers to circumvent defenses that do not inspect image files for executable content, highlighting their adept use of unconventional evasion techniques.

5. Fileless Execution and In-Memory Payload Injection The defining characteristic of this malware operation is its fileless execution model. After the initial loader retrieves the encrypted RAT payload, it decrypts and injects the malicious code directly into the memory space of legitimate processes. This in-memory injection eliminates the need for writing executable files to disk and severely limits forensic visibility. By leveraging this approach, the attackers maintain persistence while minimizing observable artifacts on the compromised host.

6. XWorm and Remcos Capabilities The final payloads, XWorm and Remcos, deliver robust remote access capabilities that facilitate comprehensive system compromise. XWorm offers keylogging, screen capture, and credential theft, whereas Remcos provides advanced remote control, file management, and live surveillance. Both RATs support modular expansions, allowing the adversary to tailor additional plugins to suit specific operational goals, further extending the campaigns flexibility and threat potential.

7. Evasion and Obfuscation Techniques Throughout this campaign, the attackers rely heavily on obfuscation to conceal malicious intent. The layered encoding of BAT scripts, the dynamic reconstruction of PowerShell commands, and the use of SVG files exemplify a multi-pronged evasion strategy. By combining fileless execution with non-traditional file formats and trusted hosting services, the adversary reduces the likelihood of detection by conventional signature-based and behavioral analysis tools.

8. Defensive Strategies and Mitigation In light of these sophisticated tactics, organizations must adopt an equally advanced defense posture. Implementing application allowlisting, enhancing PowerShell logging and analysis, and deploying runtime memory monitoring can help detect anomalous script behavior. Additionally, scrutinizing inbound email attachments and CDN-hosted downloads, coupled with content inspection of image files, will thwart attempts to leverage SVG-based exploits. Ultimately, a layered security architecture that integrates endpoint detection and response with threat intelligence will prove essential in countering this evolving malware campaign.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts