This threat involves a phishing campaign disguised as a FedEx delivery notification email containing a 7z archive named "fedex_shipping_document.7z". Inside is a Windows batch (.bat) script with the same name that is not heavily obfuscated but uses delayed environment variable expansion ("!var!") to evade simple string-based detections that look for "%VAR%" patterns. The script establishes persistence by creating a Run key in the Windows registry pointing to a copy of itself in the %APPDATA%\Rail directory. It then launches a PowerShell one-liner that extracts a Base64-encoded payload embedded within the script using regular expressions. The initial Base64 payload is crafted to evade detection by common tools like base64dump. Once decoded, the PowerShell script decrypts an AES-encrypted payload using extracted IV and salt values. The decrypted payload is shellcode that is injected into the explorer.exe process, where a new thread is created to execute it. This shellcode is consistent with DonutLoader-delivered XWorm malware, which establishes a connection to a command and control (C2) server at IP 204.10.160.190 on port 7003. The malware includes some anti-debugging and anti-sandboxing techniques, such as checking CPU cores and waiting for the explorer process to ensure a user is logged in, but these checks are incomplete or not fully implemented. The overall attack chain relies on user interaction to open the archive and execute the batch script, leading to system compromise and remote attacker control.

Organizations worldwide face risks of credential theft, data exfiltration, lateral movement, and persistent remote access due to this malware. The use of persistence mechanisms and process injection allows the malware to maintain foothold even after reboots. The connection to a remote C2 server enables attackers to issue commands, deploy additional payloads, or move laterally within networks. This can lead to operational disruption, intellectual property theft, and potential ransomware deployment if attackers escalate privileges. The malware’s evasion techniques reduce detection likelihood, increasing dwell time and damage potential. While the attack requires user interaction, phishing remains a common vector, especially in sectors with high email volumes such as logistics, finance, and government. The presence of XWorm, a known remote access trojan, further elevates the threat by enabling attackers to control infected systems stealthily.

Organizations should implement advanced email filtering to detect and quarantine suspicious attachments, especially archives containing scripts. Endpoint detection and response (EDR) solutions should be tuned to detect delayed environment variable expansion and PowerShell-based code injection techniques. Monitoring for persistence mechanisms such as unexpected Run registry keys and anomalous explorer.exe process injections is critical. Network monitoring should include alerts for outbound connections to uncommon ports and IP addresses, particularly those matching known C2 infrastructure. User training must emphasize the risks of opening unsolicited attachments, even from trusted brands like FedEx. Disabling or restricting PowerShell execution policies and logging PowerShell activity can help detect and prevent execution of malicious scripts. Regular threat hunting for indicators such as the specific SHA256 hash of the archive and related artifacts can aid early detection. Finally, maintaining up-to-date backups and incident response plans ensures resilience against potential compromise.