XWorm 7.1 and Remcos RAT Campaigns Exploit WinRAR Vulnerability for Evasion

XWorm 7.1 and Remcos RAT Leverage Windows Process Hollowing

Threat actors have deployed updated campaigns featuring XWorm 7.1 and Remcos Remote Access Trojan (RAT) that exploit legitimate Windows tools to circumvent security detection mechanisms. According to security researchers, these campaigns specifically abuse a WinRAR vulnerability to achieve initial compromise before implementing sophisticated evasion techniques.

Technical Attack Vector

The malware campaigns utilize process hollowing, a technique where malicious code is injected into legitimate Windows processes to mask malicious activity. By hollowing out trusted system processes, the RATs can operate under the cover of legitimate Windows functionality, significantly reducing their detection footprint.

Both XWorm 7.1 and Remcos RAT variants in these campaigns are configured for surveillance operations, enabling attackers to monitor victim systems, exfiltrate sensitive data, and maintain persistent access to compromised networks. The use of legitimate Windows tools as execution vehicles represents an evolution in evasion tactics, leveraging the inherent trust placed in system processes.

WinRAR Exploitation Component

The initial infection vector leverages a known WinRAR vulnerability, though specific CVE details were not disclosed in the original reporting. This approach allows attackers to achieve code execution through malicious archive files, a common delivery method for RAT payloads targeting Windows environments.

Security teams should prioritize updating WinRAR installations and implementing behavioral detection capabilities that can identify process hollowing activities, regardless of the host process legitimacy.

Sources

• Hackread - New XWorm 7.1 and Remcos RAT Attacks Abuse Windows Tools to Evade Detection