Threat Alert: XWORM SPOOFED BANKING MESSAGES

• Threat actors pushed a widespread and high-volume campaign impersonating Chase Bank. The message subject and body pertained to security warnings for Zelle users.
• Messages included hyperlinked text of a “mandatory” safety notice to review, redirecting to an attacker-controlled landing page with an attack chain resulting in the download and deployment of the XWorm remote access trojan (RAT).
   

How is it used in the wild?

• Messages included spoofed Chase branding and Zelle information with seemingly legitimate protection measures for users.
• Hyperlinked text in the message led to a landing page with a CAPTCHA.
• If the CAPTCHA was resolved, the user was redirected to a .top top-level domain (TLD) landing page with ClickFix capabilities. It encouraged the user to follow instructions which, if completed, could result in the download and deployment of XWorm.
  
  

Key Action: Stay Alert!

• Look out for lookalike domains.
• Log into accounts via an alternative method instead of following links in emails.
• Report ANY suspicious emails via Phish Alarm.