Emergence of XWorm Malware Utilizing Rust-Based Injector
Recent analyses reveal the rise of XWorm, a commodity malware deployed by malicious actors employing a legitimate Rust-based tool known as Freeze[.]rs. This significant development in cybercrime was flagged by Fortinet FortiGuard Labs on July 13, 2023, marking a novel attack strategy using sophisticated techniques to infiltrate victim systems.
The initial vector for this attack unfolds through phishing emails that contain a deceptively crafted PDF file, which ultimately redirects users to a remote-hosted HTML file. This HTML document exploits the ‘search-ms’ URI protocol to execute a Link (LNK) file located on a remote server. Security researcher Cara Lin indicates that once the LNK file is triggered, a PowerShell script activates both Freeze[.]rs and SYK Crypter. This sequence not only allows for further offensive maneuvers but also facilitates the installation of various malware, including the Remcos Remote Access Trojan.
Freeze[.]rs, launched just months prior on May 4, 2023, is designed as an open-source red teaming tool that enables attackers to bypass security controls and execute malicious shellcode stealthily. It has quickly become favored among cybercriminals due to its ability to neutralize userland endpoint detection and response (EDR) solutions. Additionally, SYK Crypter has emerged as a prominent tool for distributing a range of malware variants, including AsyncRAT and RedLine Stealer, leveraging innocuous-looking purchase order emails as delivery mechanisms.
This attack chain stands out for its multiple layers of obfuscation, designed to evade detection from security solutions. Morphisec’s researcher Hido Cohen has emphasized that the sophistication of the SYK Crypter, characterized by polymorphic capabilities, not only complicates analysis but ensures a persistent presence within compromised environments.
The abuse of the ‘search-ms’ protocol is a particularly alarming feature of this attack, allowing for malicious LNK files to masquerade as legitimate search results in the Windows File Explorer. This method of infiltration is part of a broader trend involving the exploitation of legitimate Windows features by cybercriminals, as highlighted by recent reports from Trellix.
Post-injection, the malware’s shellcode is decrypted, facilitating the execution of XWorm, which has the capability to harvest sensitive data from infected machines including keystrokes, screenshots, and system information. The rapid adoption of recently developed tools like Freeze[.]rs underscores the agility of threat actors in weaponizing contemporary technologies to achieve malicious objectives.
Targets of this wave of cyberattacks appear to be centered in Europe and North America. Reports indicate that similar tactics have been observed in other XWorm campaigns, which were disseminated through social engineering emails that used a variety of file attachments to lure potential victims, particularly within the service, transportation, and healthcare sectors across several regions, including the U.S. and South Korea.
The associated MITRE ATT&CK tactics evident in this attack include initial access via phishing (T1566), exploitation of vulnerabilities for persistence (T1543), and the use of obfuscation techniques to maintain stealth (T1027). As cyber threats continue to evolve, it is imperative for business leaders to remain vigilant regarding these sophisticated attack vectors, which can circumvent traditional defenses with alarming ease.
As the landscape of cybersecurity evolves, the integration of advanced tools like Freeze[.]rs illustrates not only the persistence of existing threats but also the emergence of new techniques that necessitate comprehensive security strategies and constant vigilance.