Malicious actors are applying a respectable Rust-primarily based injector called Freeze[.]rs to deploy a commodity malware identified as XWorm in sufferer environments.
The novel attack chain, detected by Fortinet FortiGuard Labs on July 13, 2023, is initiated by using a phishing email that contains a booby-trapped PDF file. It has also been applied to introduce Remcos RAT by means of a crypter known as SYK Crypter, which was initially documented by Morphisec in May possibly 2022.
“This file redirects to an HTML file and utilizes the ‘search-ms’ protocol to entry an LNK file on a distant server,” security researcher Cara Lin reported. “On clicking the LNK file, a PowerShell script executes Freeze[.]rs and SYK Crypter for even further offensive actions.”
Freeze[.]rs, produced on May 4, 2023, is a open-source crimson teaming instrument from Optiv that functions as a payload development resource applied for circumventing security methods and executing shellcode in a stealthy fashion.
“Freeze[.]rs makes use of multiple approaches to not only take out Userland EDR hooks, but to also execute shellcode in this sort of a way that it circumvents other endpoint checking controls,” in accordance to a description shared on GitHub.
SYK Crypter, on the other hand, is a software utilized to dispersed a extensive range of malware households these as AsyncRAT, NanoCore RAT, njRAT, QuasarRAT, RedLine Stealer, and Warzone RAT (aka Ave Maria). It can be retrieved from the Discord material delivery network (CDN) by implies of a .NET loader connected to e-mails that masquerades as benign obtain orders.
“This attack chain delivers a crypter that is persistent, characteristics several levels of obfuscation, and takes advantage of polymorphism to sustain its skill to stay clear of detection by security options,” Morphisec researcher Hido Cohen discussed.
It can be worth noting that the abuse of the “lookup-ms” URI protocol handler was just lately highlighted by Trellix, which unearthed an infection sequences bearing HTML or PDF attachments to operate lookups on an attacker-managed server and listing destructive information in the Windows File Explorer as if they are regional search final results.
The findings from Fortinet are no different in that the data files are camouflaged as PDF documents but are truly LNK files that execute a PowerShell script to launch the Rust-centered injector, when displaying a decoy PDF doc.
In the remaining stage, the injected shellcode is decrypted to execute the XWorm distant entry trojan and harvest sensitive details, such as device info, screenshots, and keystrokes, and remotely manage the compromised system.
The truth that a a few-thirty day period-outdated program is previously becoming weaponized in attacks symbolizes the immediate adoption of offensive tools by malicious actors to meet their goals.
That is not all. The PowerShell script, besides loading the injector, is configured to run another executable, which features as a dropper by calling a remote server to fetch the SYK Crypter made up of the encrypted Remcos RAT malware.
“The combination of XWorm and Remcos produces a formidable trojan with an array of malicious functionalities,” Lin reported. “The C2 server’s site visitors report […] reveals Europe and North The usa as the primary targets of this destructive campaign.”
Located this report appealing? Follow us on Twitter and LinkedIn to study additional special written content we article.
Some parts of this article are sourced from:
thehackernews.com