Once the DOCX file is opened, it creates an external connection to execute the malicious RTF file. The RTF then drops a file named “Client.vbe” into a temporary folder, which exploits the vulnerability to execute malicious commands. The campaign employs HorusProtector, a commercial tool used to obfuscate and deliver malware. Unlike earlier variants that relied on external downloads, the current version embeds the full payload directly in the VBE script, significantly increasing its file size from 10KB to 1.34MB, allowing malware distribution without external server communication.

The attack chain continues with the use of PowerShell scripts, a Living-off-the-Land technique to inject the FormBook-based XLoader malware directly into system memory, disguising it as a native process. This method enhances stealth and reduces the likelihood of detection by traditional antivirus tools. Visual Basic Scripts play a key role in the covert delivery process, demonstrating the attackers’ advanced use of scripting and evasion techniques.

XLoader, the final payload, is a powerful Malware-as-a-Service stealer that targets both Windows and macOS platforms. It collects keystrokes, screenshots, clipboard contents (including cryptocurrency transactions), credentials from browsers and email clients, and cryptocurrency wallet data. It can also download additional payloads, expanding its threat capability. This campaign highlights the persistent risk posed by outdated software and stresses the need for patching legacy components, using robust email filters, disabling unnecessary features like Equation Editor, and educating users to avoid suspicious attachments.

Impact

• Sensitive Information Theft
• Code Execution
• Gain Access

Indicators of Compromise

CVE

• CVE-2017-11882

Remediation

• Always install the latest security updates and patches, especially for older components like Equation Editor.
• If it’s not needed in your environment, disable or remove it to prevent exploitation.
• Deploy advanced email filtering solutions to detect and block suspicious or malicious attachments.
• Install reliable antivirus and endpoint detection tools that can catch malware even if it’s disguised.
• Educate users not to open unexpected or suspicious email attachments, especially from unknown senders.
• Restrict or monitor the use of scripting tools like PowerShell and Visual Basic Scripts to prevent misuse.
• Use threat detection tools to look for unusual behavior, such as strange scripts running or unknown processes in memory.
• Disable macros and external content in Office files unless absolutely necessary.