top of page

Malicious Actors Deploying XWorm Malware with Freeze[.]rs and SYK Crypter

Fortinet FortiGuard Labs detected an innovative cyberattack method on July 13, 2023, involving a legitimate Rust-based injector, Freeze[.]rs, used to deliver a standard malware known as XWorm. This method involves cybercriminals initiating their attack through a phishing email that contains a rigged PDF file. The sophisticated attack structure is also utilized for the infiltration of Remcos RAT via a crypter titled SYK Crypter, first examined by Morphisec in May 2022.

Cara Lin, a security researcher, commented, "This file redirects to an HTML file and uses the 'search-ms' protocol to gain access to an LNK file on a remote server." After clicking the LNK file, a PowerShell script triggers the Freeze[.]rs and the SYK Crypter for advanced cyberattacks.

Being an open-source red teaming tool from Optiv that released on May 4, 2023, Freeze[.]rs is purposed for the creation of payloads that can bypass security measures and execute shellcode undercover. Its design allows the removal of Userland EDR hooks while enabling shellcode execution in a manner that avoids other endpoint observing controls.

Conversely, SYK Crypter is a tool for distributing numerous malware families such as AsyncRAT, NanoCore RAT, njRAT, QuasarRAT, RedLine Stealer, and Warzone RAT (aka Ave Maria). This crypter found via the Discord content delivery network through a .NET loader attached to emails disguised as innocent purchase orders. As Morphisec researcher Hido Cohen explains, "This attack chain levies a crypter that is persistent, demonstrates multiple layers of obfuscation, and employs polymorphism to retain its ability to escape detection by security measures."

Interestingly, Trellix recently emphasized the exploitation of the "search-ms" URI protocol handler, which was discovered to initiate searches on a server controlled by attackers and list harmful files in Windows File Explorer, giving the appearance of local search outputs. Similarly, Fortinet's findings showcase deceptive files appearing as PDFs but in reality, are LNK files executing a PowerShell script to initiate the Rust-based injector, whilst exhibiting a decoy PDF document.

The final stages consist of the injected shellcode being decrypted in order to operate the XWorm remote access trojan, which collects sensitive data (machine information, screenshots, keystrokes) and gains access to the compromised device remotely. Also, the PowerShell script loads the injector then runs another executable, functioning as a dropper to connect to a remote server and collect the encrypted Remcos RAT malware via the SYK Crypter.

Lin summarized, "The pairing of XWorm and Remcos produces a high-powered Trojan with a multitude of harmful functionalities." As seen from the C2 server's traffic report, the main targets of this malicious campaign are Europe and North America.

The quick adaptation of offensive weaponry by cybercriminals as evidenced by a three-month-old program's utilization signifies a fast-evolving threat landscape. To stay ahead of the evolving threats and protect sensitive data, businesses must continually update their cybersecurity strategies and practices.

At Darksteel Technologies, we are an Orlando based business that can handle all aspects of your IT security. Providing compliance, training, malware protection, cloud security, devsecops, vulnerability management, penetration testing, architecture design and any other information security requirement your business needs. We focus on your cybersecurity so you don't have to.


Commenting has been turned off.
bottom of page