Malicious actors have seized upon a legitimate Rust-based injector known as Freeze.rs to unleash the XWorm commodity malware within targeted environments. Fortinet FortiGuard Labs detected this novel attack chain on July 13, 2023, which commences with a phishing email harboring a booby-trapped PDF file.
By exploiting a crypter named SYK Crypter, the attackers also facilitated the introduction of Remcos RAT. Cara Lin, a security researcher, elaborated that this malevolent sequence employs various techniques, including utilizing the ‘search-ms’ protocol to access a remote LNK file via an HTML redirection.
Freeze.rs, an open-source red teaming tool developed by Optiv and released on May 4, 2023, operates as a payload creation tool, adept at evading security measures and executing shellcode covertly. Its mechanisms not only dismantle Userland EDR hooks but also execute shellcode to evade endpoint monitoring controls, as described in a GitHub overview.
In parallel, SYK Crypter has been harnessed to distribute an array of malware families, leveraging a .NET loader within Discord’s content delivery network to pose as benign purchase orders and carry out attacks.
Fortinet’s findings reveal the malware masquerades as PDF files but functions as LNK files that execute a PowerShell script to activate the Rust-based injector, with a misleading decoy PDF document displayed.
In the final phase, injected shellcode is decrypted to launch the XWorm remote access trojan, enabling data harvesting, remote control of the compromised device, and more. This utilization of a three-month-old program in attacks reflects the swift integration of offensive tools by malicious actors to achieve their objectives, underscoring the dynamic landscape of cyber threats. The alliance of XWorm and Remcos RAT forms a potent trojan, with a strong presence targeting Europe and North America, according to Lin’s observations.