Thursday, January 23, 2025
HomeCyber Security NewsBeware Of Malicious SharePoint Notifications That Delivers Xloader Malware

Beware Of Malicious SharePoint Notifications That Delivers Xloader Malware

Published on

SIEM as a Service

Follow Us on Google News

Through the use of XLoader and impersonating SharePoint notifications, researchers were able to identify a sophisticated malware delivery campaign. 

A link that was disguised as a legitimate SharePoint notification was included in the emails that were sent out at the beginning of the attack. 

message that looks like a legitimate SharePoint share with an Open files link
message that looks like a legitimate SharePoint share with an Open files link

The engine flagged the message as malicious based on several factors: computer vision detected a spoofed Microsoft logo and fake SharePoint template, the LinkAnalysis service traced suspicious redirects and downloaded the linked files for analysis, and the email sender failed SPF authentication. 

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

After clicking on the link, a series of cumbersome steps were presented to the user, and the file that was downloaded was a ZIP archive that contained an AutoIT script. 

bfuscated text stored in a single parameter.
bfuscated text stored in a single parameter.

The script, when executed, downloaded another archive containing shellcode, which was then injected into a legitimate Windows process (likely via reflective DLL injection) using a technique involving double references to system libraries like ntdll.dll. 

The newly injected process likely functioned as the final payload, potentially establishing communication with the attacker’s Command and Control (C2) server for further malicious activity like information theft. 

Svchost.exe properties
Svchost.exe properties

The analysis by Sublime Security highlights the evolving tactics of malware campaigns, employing social engineering with impersonation, multi-stage delivery with obfuscation and scripting, and process injection for payload execution. 

An initial AutoIT and shellcode components of this sample exhibit strong indicators of Trickgate activity, which aligns with documented

Trickgate tactics, including Xloader deployment and the use of techniques highly similar to those observed in the AutoIT component.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...