Cybersecurity researchers have uncovered a sophisticated malware campaign that exploits SVG (Scalable Vector Graphics) files and email attachments to distribute dangerous Remote Access Trojans, specifically XWorm and Remcos RAT.
This emerging threat represents a significant evolution in attack methodologies, as threat actors increasingly turn to non-traditional file formats to bypass conventional security defenses.
The campaign employs multiple delivery vectors, including direct email attachments containing malicious EML files and URLs hosted on trusted platforms like ImageKit.
These ZIP archives contain highly obfuscated BAT scripts that serve as the initial infection stage, utilizing advanced techniques to evade static detection mechanisms.
The malware’s fileless execution approach enables it to operate entirely in memory, making detection considerably more challenging for traditional endpoint protection solutions.
Seqrite researchers identified two distinct campaign variants during their analysis, revealing an evolving threat landscape where attackers continuously refine their techniques.
The first campaign delivers BAT scripts directly through email attachments, while the second introduces SVG files embedded with JavaScript as a novel delivery mechanism.
.webp "New Malware Attack Leverages SVGs, Email Attachments to Deliver XWorm and Remcos RAT 3")
These SVG files appear as legitimate image files but contain embedded scripts that automatically trigger malicious payload downloads when rendered in vulnerable environments or embedded within phishing pages.
The attack chain demonstrates remarkable sophistication in its execution methodology. Once the initial ZIP file is extracted, victims encounter a heavily obfuscated BAT script designed to appear benign while executing complex malicious operations.
This script leverages PowerShell to perform in-memory payload injection, effectively bypassing traditional file-based detection systems.
Advanced Evasion and Persistence Mechanisms
The malware employs sophisticated evasion techniques that target core Windows security mechanisms. The PowerShell component programmatically disables both AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows) through dynamic .NET reflection and delegate creation.
.webp "New Malware Attack Leverages SVGs, Email Attachments to Deliver XWorm and Remcos RAT 4")
The attack resolves native functions including GetProcAddress, GetModuleHandle, VirtualProtect, and AmsiInitialize to locate and patch the AmsiScanBuffer function in memory.
The persistence mechanism involves creating BAT files within the Windows Startup folder, ensuring automatic execution upon system restart or user login.
The PowerShell script searches for Base64-encoded payloads hidden within batch file comments, specifically targeting lines prefixed with triple-colon markers.
These payloads undergo multiple layers of decryption, including AES decryption using hardcoded keys and GZIP decompression before final execution.
The loader component functions as a critical intermediary, extracting and executing embedded .NET assemblies directly in memory using Assembly.Load operations.
This approach eliminates the need for disk-based file creation, significantly reducing detection probability while maintaining full operational capability for deploying XWorm and Remcos RAT payloads.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
