10 hours ago
Your Passwords Are At Risk — New Windows XFiles Attack Confirmed
Windows passwords come under attack from XFiles threat.
Two things that are guaranteed to strike fear into the hearts of anyone concerned about cybersecurity attacks are Windows and passwords. Combine the two, and you have the basis of what can be something of a security nightmare. With Microsoft account password spraying attacks and warnings over opening specific Outlook files in the news as Windows email, passwords and 2FA codes come under attack, this is kind of understandable. Now, with confirmation of a password-stealing threat called XFiles, is there even more cause for concern? The truth, as they say, is out there.
A group of self-proclaimed elite threat hunters and cyber analysts has issued a warning that attackers deploying a malware payload called Xfiles, also known as DeerStealer, are targeting Windows users in order to compromise passwords that can then be sold on dark web criminal marketplaces.
A June 12 report published by the eSentire Threat Response Unit has revealed how, throughout May, threats actors have been using the XFiles payload in order to steal Windows passwords that can then be sold by a dark web user known only as LuciferXfiles.
The methods employed are sadly all too familiar, involving ClickFix attacks during the initial access process. These tech support scams combine seemingly genuine offers of help regarding security issues surrounding account activity with fake ID Captcha prompts that involve executing malicious commands using the Windows Run prompt.
Should the victim get to this stage, they will then download something called HijackLoader, often obfuscated using an encrypted PNG image, that downloads the real payload, the XFiles infostealer malware to compromise passwords, browser 2FA session cookies, instant messages and more.
Read the full report for a detailed technical analysis of the entire attack chain. When it comes to mitigation, however, the eSentire TRU advice is clear:
I would have to add to this that opening the Windows Run prompt and pasting the clipboard's content, which is how ClickFix attacks work, is hardly conducive to good security practice or, frankly, common sense. I mean, how many Captcha or I Am Not A Robot tests have ever asked you to do that? The answer is zero. Protect your passwords by not being tricked into doing something that is so obviously out of the ordinary.
