Microsoft Follina Bug Is Back in Meme-Themed Cyberattacks Against Travel Orgs

A two-bit comedian is using a patched Microsoft vulnerability to attack the hospitality industry, and really laying it on thick along the way.

A threat actor is exploiting
last years Follina (RCE) remote code execution vulnerability
to deploy the XWORM remote access trojan (RAT) and data-stealer against targets in the hospitality industry.
On May 12, researchers from Securonix
broke down the campaign
, which uses Follina to drop Powershell code onto target machines, which is rife with various 4Chan and meme references. Thus, the researchers refer to the campaign as MEME#4CHAN, due to the amorphous line it draws between stealth and internet humor.
MEME#4CHAN attacks begin with a phishing email, with a hospitality hook in the subject line — something like Reservation for Room. Attached will be a Microsoft Word document furthering the theme, such as Details for booking.docx.
Once a victim clicks on the document, theyre presented with a dialogue box: This document contains links that may refer to other files. Do you want to update this document with the data from the linked files? But regardless of whether they click Yes or No, a Word document opens, containing stolen images of a French drivers license and debit card.
The choice of a .docx file is notable. Hackers often used to use malicious macros in Office files to gain a foothold in a target machine, which isnt as effective of a tactic now that
Microsoft decided to block macros from Internet files by default
.
Without that option, MEME#4CHAN instead turns to Follina. Follina (
CVE-2022-30190
) is an RCE vulnerability that carries a high CVSS score of 7.8. It allows attackers to create specially-crafted Microsoft Word files that trick Microsofts Diagnostic Support Tool into downloading and executing malicious code from an attacker-controlled server. The bug was disclosed and
patched a year ago
.
Through Follina, MEME#4CHAN downloads an obfuscated Powershell script once the Word document is opened. The script is notable for its labored references, memes, and uninspiring jokes. The author laments at multiple points why my ex left me, for example, and gives directories, variables, and functions such names as mememan, shakalakaboomboom, and stepsishelpme.
The jokes might be considered a unique stealth tactic, designed to instantly repel any researcher of good taste. But Securonix researchers noted that the attack uses other more traditional obfuscation as well.
In fact, the researchers found variables in the Powershell code ranging from semi- to heavily obfuscated they said, including a heavily obfuscated .NET binary which, once decoded, revealed itself as the XWORM RAT.
The relative amount of effort invested into obfuscation and covertness is higher than for the similar attacks we observed, says Oleg Kolesnikov, vice president of threat research and detection at Securonix, and it is not yet clear why.
XWORM is a bit of a Swiss Army knife of a RAT.
On one hand, it does RAT things — checking for antivirus, communicating with a command-and-control (C2) server, opening a backdoor to a machine, and creating an autorun entry to ensure persistence across restarts.
At the same time, it comes replete with espionage features, including capabilities for accessing a devices microphone and camera, and keylogging; and it can instigate follow-on attacks like distributed denial of service (DDoS) or even ransomware.
That said, the malware is of dubious quality, some note.
Multiple iterations
of XWORM have been leaked online in recent months, including
a 3.1 version
just last month. The individual who published the 3.1 code to GitHub didnt appear to hold it in high regard.
There are so many sh*tty Rat [sic], XWorm is one of them. Im sharing it so that you dont pay for such things for nothing, the person wrote in a README file.
Compared to some of the other similar underground attack tools for which source code was leaked recently, Kolesnikov judges, XWORM does appear to have arguably somewhat less advanced capabilities, though [its usefulness] often depends on the specific capability [required]. It depends on how the malicious threat actors use the tool as part of an attack.
According to the researchers, its likely the author behind MEME#4CHAN is English-speaking, due to all the 4Chan references in their code.
Dark Reading also independently observed several variables in the code referencing Indian cultural touchpoints, indicating either that the hacker is of Indian origin, or familiar enough with Indian culture to fake it.
Taking further evidence into account adds color and cloudiness to the attribution picture. The attack methodology is similar to that of
TA558, a cybercriminal gang
, where phishing emails were delivered targeting the hospitality industry, the Securonix researchers explained.
He added, however, that TA558 also typically uses a wide range of C2 campaign artifacts and payloads similar, but not positively in line with what we witnessed through the MEME#4CHAN campaign.
Whoevers behind it, it doesnt appear that this campaign is over with, as several of its associated C2 domains are still active.
The researchers recommended that to avoid becoming potential victims, organizations should avoid opening any unexpected attachments, watch out for malicious file hosting websites, and implement log anomaly detection and application whitelisting.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsoft Follina Bug Is Back in Meme-Themed Cyberattacks Against Travel Orgs