Xloader deep dive: Link-based malware delivery via SharePoint impersonation

Sublime's recent detection of a malicious SharePoint impersonation led to the discovery of a complex malware delivery attempt involving AutoIT scripts, shellcode, and process injection. The attack started with a deceptive email mimicking a legitimate SharePoint message, luring the target to download a malicious .zip file. Upon analysis, the file contained an AutoIT-based executable, which upon decompilation revealed obfuscated shellcode. Further investigation using tools like CyberChef, Ghidra, and x32dbg identified the presence of process injection techniques and the use of common APIs associated with malware loaders, suggesting a connection to the TrickGate loader and Xloader (Formbook) malware. The analysis highlighted the use of advanced evasion techniques such as loading a second copy of ntdll.dll and employing anti-analysis tricks to defeat emulators and sandboxes, ultimately confirming the presence of Xloader's information-stealing capabilities.