Cyber Security News

Beware Of Malicious SharePoint Notifications That Delivers Xloader Malware

Through the use of XLoader and impersonating SharePoint notifications, researchers were able to identify a sophisticated malware delivery campaign. 

A link that was disguised as a legitimate SharePoint notification was included in the emails that were sent out at the beginning of the attack. 

message that looks like a legitimate SharePoint share with an Open files linkmessage that looks like a legitimate SharePoint share with an Open files link
message that looks like a legitimate SharePoint share with an Open files link

The engine flagged the message as malicious based on several factors: computer vision detected a spoofed Microsoft logo and fake SharePoint template, the LinkAnalysis service traced suspicious redirects and downloaded the linked files for analysis, and the email sender failed SPF authentication. 

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

After clicking on the link, a series of cumbersome steps were presented to the user, and the file that was downloaded was a ZIP archive that contained an AutoIT script. 

bfuscated text stored in a single parameter.bfuscated text stored in a single parameter.
bfuscated text stored in a single parameter.

The script, when executed, downloaded another archive containing shellcode, which was then injected into a legitimate Windows process (likely via reflective DLL injection) using a technique involving double references to system libraries like ntdll.dll. 

The newly injected process likely functioned as the final payload, potentially establishing communication with the attacker’s Command and Control (C2) server for further malicious activity like information theft. 

Svchost.exe properties

The analysis by Sublime Security highlights the evolving tactics of malware campaigns, employing social engineering with impersonation, multi-stage delivery with obfuscation and scripting, and process injection for payload execution. 

An initial AutoIT and shellcode components of this sample exhibit strong indicators of Trickgate activity, which aligns with documented

Trickgate tactics, including Xloader deployment and the use of techniques highly similar to those observed in the AutoIT component.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Secure Ideas Achieves CREST Accreditation and CMMC Level 1 Compliance

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces its…

8 hours ago

New Phishing Campaign Targets Investors to Steal Login Credentials

Symantec has recently identified a sophisticated phishing campaign targeting users of Monex Securities (マネックス証券), a…

9 hours ago

UAC-0219 Hackers Leverage WRECKSTEEL PowerShell Stealer to Extract Data from Computers

In a concerning development, CERT-UA, Ukraine's Computer Emergency Response Team, has reported a series of…

9 hours ago

Hunters International Linked to Hive Ransomware in Attacks on Windows, Linux, and ESXi Systems

Hunters International, a ransomware group suspected to be a rebrand of the infamous Hive ransomware,…

9 hours ago

Qilin Operators Imitate ScreenConnect Login Page to Deploy Ransomware and Gain Admin Access

In a recent cyberattack attributed to the Qilin ransomware group, threat actors successfully compromised a…

9 hours ago

Operation HollowQuill Uses Malicious PDFs to Target Academic and Government Networks

A newly uncovered cyber-espionage campaign, dubbed Operation HollowQuill, has been identified as targeting academic, governmental,…

9 hours ago