icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Xloader Deep Dive: Link-Based Malware Delivery via SharePoint Impersonation

Summary:
Sublime Security recently reported that it was successfully able to intercept a phishing campaign targeting end users with Xloader malware. The attack begins with the victim receiving an email designed to resemble a legitimate SharePoint file-sharing notification. This email includes a link labeled "Open files," which, when clicked, redirects the victim to a malicious .zip file hosted outside of SharePoint. Inside the .zip file is a malicious executable that, once run, initiates the installation of Xloader. For its part, Xloader is a rebranded variant of Formbook, an information-stealing malware primarily focused on harvesting user credentials, capturing keystrokes, and taking screenshots.

Security Officer Comments:
The latest campaign underscores a growing trend among cybercriminals who exploit legitimate services to increase the effectiveness of their attacks. By impersonating widely used platforms like SharePoint, which is utilized by organizations worldwide, attackers can bypass security filters and successfully compromise unsuspecting users. The use of Xloader in this campaign suggests that the attackers aim to harvest user credentials, potentially granting them control over associated accounts and enabling them to move laterally within the network to target more critical or sensitive systems. According to Sublime Security, the delivery of Xloader involves a sophisticated chain of techniques, including obfuscated code, AutoIT scripts, shellcode injections, and process hijacking. These tactics reflect the adversaries' efforts to ensure the success of their attacks while evading detection and analysis.

Suggested Corrections:
Organizations should implement a multi-layered security approach which includes using advanced email filtering solutions to block phishing emails and enabling multi-factor authentication to reduce the impact of compromised credentials. Additionally, educating employees on recognizing phishing attempts, particularly those exploiting legitimate services like SharePoint, is crucial in mitigation such attacks.

Sublime states that its AI-powered detection engine prevented this attack. The top signals in these attacks are:
  • Microsoft brand impersonation: Sublime detected the Microsoft logo and fake Sharepoint template using computer vision.
  • Link to suspicious file type: Sublime’s LinkAnalysis service followed the URL and redirects, downloaded the files at the destination, exploded the file, and analyzed it for attempts to deliver malware.
  • Potential spoof: The sender failed SPF authentication.
  • Credential theft: Language in the message appears to engage the user in order to steal credentials.
  • Unusual sender domain: The sender's domain doesn't match any link domains found in the body of the message.
Link(s):
https://sublime.security/blog/xload...alware-delivery-via-sharepoint-impersonation/
 

Contact Us for Threat Assistance
Back to Current Threats