Over the past month, the NJCCIC observed multiple XWorm campaigns targeting New Jersey State employees.  XWorm malware is a remote access trojan (RAT) capable of evading detection, gaining remote access, stealing credentials, exfiltrating data, and deploying ransomware. With the release of Version 7.1, XWorm is currently leading the “RAT race” in the underground malware market; therefore, it is likely XWorm will continue to be prominent in the current cyber threat landscape.

Image Source: Trellix

In these malware campaigns, threat actors impersonate Microsoft, SecureFilePro (a secure client file exchange for tax preparers and their clients), and a purported “Bookings Manager.” The messages display subject lines containing keywords, such as Microsoft 365 Business basic invoice, file upload notification, booking notice, and accounting bookings. They contain a link or ZIP attachment that leads to a JavaScript file. If executed, it will run a PowerShell script to install XWorm.

Recommendations

• Exercise caution with unexpected or unsolicited communications.
• Confirm requests from senders using contact information obtained from verified and official sources before taking any action, such as clicking links or opening attachments.
• Navigate directly to official and verified websites by typing the legitimate URL into the browser rather than clicking on links in messages.
• Keep systems and browsers up to date.
• Report phishing emails and other malicious cyber activity to the NJCCIC and the FBI’s  IC3.