Attackers are using fake invoice emails to distribute XWorm, a remote access trojan that quietly steals credentials, passwords, and sensitive files from infected computers.
When a user opens the attached Visual Basic Script (VBS) file, the malware begins working silently in the background without any visible warnings. This lack of alerts makes it extremely dangerous, as victims often remain unaware their system has been compromised until it is too late. Once active, XWorm grants attackers complete control over the infected machine,
allowing them to record keystrokes, spy on users, steal personal data, and even install additional threats like ransomware.
Infection Mechanism
The attack starts with a simple email that appears to be a routine payment notification from an account officer asking recipients to review processed invoices. The message itself looks harmless, but the attachment contains a VBS file that immediately executes malicious code when opened. The attackers cleverly rely on VBS, an outdated technology most people no longer expect to see in business communication, which helps the file slip past certain email security systems.
Malwarebytes security analysts identified the malicious attachment as Backdoor.XWorm. XWorm is available as malware as a service, making it easy for less technical cybercriminals to rent or purchase the infrastructure needed to maintain backdoor connections and collect stolen data, thereby escalating the overall threat landscape.
Stealth and Execution Flow
If the VBS attachment bypasses security filters, it immediately drops a batch file named IrisBud.bat into the Windows temporary folder and uses Windows Management Instrumentation (WMI) to execute it invisibly.
The infection chain starts simple but quickly becomes complex through multiple stages of obfuscation. The VBS file contains hundreds of lines of disguised code that writes the batch file. This batch file copies itself to the user profile directory as aoc.bat, ensuring persistence on the system. It also uses a clever technique to hide its execution by restarting itself in a minimized, completely invisible window.
The batch file itself includes two hidden payload sections disguised as comments. These sections hold encrypted malware data. A PowerShell script then performs the final stage: it reads the hidden payloads from aoc.bat, decrypts them using AES encryption with a hardcoded key, and decompresses the data with GZip. This process produces two executable files that load directly into memory without ever being saved to disk, a technique called fileless execution designed to avoid detection by traditional antivirus software.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
