Malicious actors have been exploiting a reputable Rust-based injector known as Freeze[.]rs to deploy the XWorm commodity malware in focused environments. The assault chain begins with a phishing e mail containing a booby-trapped PDF file, which ends up in the execution of Freeze[.]rs together with a crypter known as SYK Crypter. Freeze[.]rs is an open-source crimson teaming device used for payload creation, whereas SYK Crypter is a device used to distribute numerous malware households. The assault chain makes use of a number of obfuscation methods and polymorphism to evade detection. The XWorm malware is in the end deployed to reap delicate information and acquire distant management of the compromised gadget. This demonstrates the fast adoption of offensive instruments by malicious actors.
The PowerShell script used in the assault additionally runs a further executable that features as a dropper, contacting a distant server to fetch the SYK Crypter containing the encrypted Remcos RAT malware. The mixture of XWorm and Remcos creates a strong trojan with numerous malicious functionalities. The major targets of this malicious marketing campaign are in Europe and North America. Another XWorm marketing campaign has additionally been found, concentrating on service, transport, and healthcare sectors in the U.S., South Korea, Germany, Austria, and Saudi Arabia. This marketing campaign makes use of social engineering emails with disguised attachments and obfuscated payloads.
The “search-ms” URI protocol handler has been abused in these assaults, which permits the attacker to run searches on an attacker-controlled server and checklist malicious recordsdata in the Windows File Explorer. The camouflaged recordsdata in this assault are disguised as PDF recordsdata however are literally LNK recordsdata that execute a PowerShell script to launch the Rust-based injector, whereas displaying a decoy PDF doc. The use of offensive instruments and methods demonstrates the sophistication and flexibility of malicious actors in finishing up focused assaults.
Source hyperlink