XWorm, a multi-functional .NET‑based RAT first observed in 2022, remains actively traded across cybercrime marketplaces and continues to attract both low-skilled and advanced operators thanks to its rich feature set and plugin-based architecture.
Once deployed, it enables full remote control of compromised Windows systems, including data theft, remote desktop control, DDoS attacks, and ransomware execution.
The campaign begins with multiple themed phishing emails that masquerade as payment details, purchase orders, and signed banking or shipment documents in various languages, all carrying a malicious Excel add‑in attachment.
These lures rely on simple business pretexts to persuade targets to open the .XLAM file, which in turn abuses an embedded Object Linking and Embedding (OLE) object to trigger CVE‑2018‑0802 in the legacy Microsoft Equation Editor component.
New research from FortiGuard Labs has revealed a multi-stage phishing campaign delivering a new variant of the XWorm Remote Access Trojan (RAT) via malicious Excel attachments that exploit CVE‑2018‑0802.
CVE‑2018‑0802 is a memory corruption flaw in Microsoft Office that allows remote code execution when Equation Editor parses specially crafted objects, and it remains on CISA’s Known Exploited Vulnerabilities list despite being patched years ago.
The shellcode uses standard Windows HTTP APIs to retrieve the HTA payload and then launches it via ShellExecute, keeping the initial dropper logic tightly embedded within the Office exploitation flow.
XWorm RAT Campaign
The downloaded HTA, executed by mshta.exe, contains heavily obfuscated JScript that ultimately decodes and runs a Base64‑encoded PowerShell command.
This PowerShell stage downloads a seemingly benign JPEG image that secretly embeds a fileless .NET module between marker strings and then extracts and loads that module directly into memory without writing it to disk.
When the victim opens the attachment, Equation Editor automatically loads the malformed OLE object and executes shellcode that reaches out to a remote server to download an obfuscated HTML Application (HTA) file.
The in‑memory .NET component, masquerading as a legitimate TaskScheduler‑related assembly, functions as the XWorm downloader and loader, decoding configuration data and contacting a hard‑coded URL to fetch the final RAT payload.
To evade detection, the loader never touches the filesystem with the decrypted XWorm binary.
Instead, it performs process hollowing against a newly spawned instance of Msbuild.exe, a trusted .NET‑based Windows component that provides a suitable runtime environment for the .NET payload.
To execute the downloaded HTA file on the victim’s device, the shellcode calls the ShellExecuteExW() API.
The loader creates Msbuild.exe in a suspended state, allocates memory in the process, writes the RAT into that memory space, adjusts thread context, and resumes execution so that XWorm runs under a legitimate signed process.
Once running inside Msbuild.exe, XWorm establishes command‑and‑control (C2) communications with a remote server over AES‑encrypted channels.
Encrypted C2 traffic, commands, and plugins
Captured traffic shows that each packet includes a cleartext size prefix followed by encrypted data, and initial registration messages transmit host identifiers, system information, and security product details to help attackers profile victims.
The malware supports an extensive command set that covers process and file management, system shutdown and restart, browser and clipboard data theft, keylogging, DDoS, and remote shell execution, enabling operators to fully manage compromised endpoints.
XWorm’s capabilities are further extended by a modular plugin framework, where individual .NET DLLs can be pushed from the C2, stored or loaded filelessly, and invoked to perform specialized tasks such as remote desktop, credential theft, or filesystem operations.
Plugins communicate using their own command names but share the same AES‑protected channel and delimiter scheme, making the ecosystem highly flexible and harder to dismantle once embedded in a network.
This campaign underlines how threat actors continue to weaponize older Office vulnerabilities like CVE‑2018‑0802 in combination with fileless techniques and trusted system tools such as mshta.exe, PowerShell, and Msbuild.exe.
Defenders should ensure all Office patches are applied, especially for legacy Equation Editor components, and enforce strict controls around macro, OLE, HTA, and PowerShell execution.
Monitoring for anomalous process chains for example, Office spawning mshta.exe or PowerShell, followed by Msbuild.exe combined with network detection for suspicious AES‑encrypted outbound traffic can provide crucial early indicators of XWorm activity.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
