Malicious actors are using a legitimate Rust-based injector called Freeze[.]rs to deploy a commodity malware called XWorm in victim environments.
The novel attack chain, detected by Fortinet FortiGuard Labs on July 13, 2023, is initiated via a phishing email containing a booby-trapped PDF file. It has also been used to introduce Remcos RAT by means of a crypter called SYK Crypter, which was first documented by Morphisec in May 2022.
"This file redirects to an HTML file and utilizes the 'search-ms' protocol to access an LNK file on a remote server," security researcher Cara Lin said. "Upon clicking the LNK file, a PowerShell script executes Freeze[.]rs and SYK Crypter for further offensive actions."
Freeze[.]rs, released on May 4, 2023, is an open-source red teaming tool from Optiv that functions as a payload creation tool used for circumventing security solutions and executing shellcode in a stealthy manner.
"Freeze[.]rs utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls," according to a description shared on GitHub.
SYK Crypter, on the other hand, is a tool employed to distributed a wide variety of malware families such as AsyncRAT, NanoCore RAT, njRAT, QuasarRAT, RedLine Stealer, and Warzone RAT (aka Ave Maria). It's retrieved from the Discord content delivery network (CDN) by means of a .NET loader attached to emails that masquerades as benign purchase orders.
"This attack chain delivers a crypter that is persistent, features multiple layers of obfuscation, and uses polymorphism to maintain its ability to avoid detection by security solutions," Morphisec researcher Hido Cohen explained.
It's worth noting that the abuse of the "search-ms" URI protocol handler was recently highlighted by Trellix, which unearthed infection sequences bearing HTML or PDF attachments to run searches on an attacker-controlled server and list malicious files in the Windows File Explorer as if they are local search results.
The findings from Fortinet are no different in that the files are camouflaged as PDF files but are actually LNK files that execute a PowerShell script to launch the Rust-based injector, while displaying a decoy PDF document.
In the final stage, the injected shellcode is decrypted to execute the XWorm remote access trojan and harvest sensitive data, such as machine information, screenshots, and keystrokes, and remotely control the compromised device.
The fact that a three-month-old program is already being weaponized in attacks symbolizes the rapid adoption of offensive tools by malicious actors to meet their goals.
That's not all. The PowerShell script, besides loading the injector, is configured to run another executable, which functions as a dropper by contacting a remote server to fetch the SYK Crypter containing the encrypted Remcos RAT malware.
"The combination of XWorm and Remcos creates a formidable trojan with an array of malicious functionalities," Lin said. "The C2 server's traffic report [...] reveals Europe and North America as the primary targets of this malicious campaign."
The findings come as Trellix disclosed details of another XWorm campaign propagated via social engineering emails with PDF, DOCX and RTF attachments masquerading as invoices and purchase orders in attacks aimed at service, transport, and healthcare sectors in the U.S., South Korea, Germany, Austria, and Saudi Arabia.
"The campaign used blogspot.com URLs pointing to scripts and PowerShell code to download and execute additional payloads as well as to establish persistence," researchers Pratik Pachpor and Adarsh S said. The XWorm payload is "heavily obfuscated, adding an extra layer of complexity to its analysis."