XWorm and Remcos RAT: Analyzing the Implications of Their Evasion Tactics on Critical Infrastructure Security

Phishing Campaign Uses Rust-based Injector to Deliver Malware

Overview

A phishing campaign utilizing the Rust-based injector Freeze[.]rs has been discovered, targeting victims across Europe and North America. The campaign, which was first detected by FortiGuard Labs in July, employs sophisticated techniques to bypass endpoint detection and response (EDR) security measures. The attackers utilize a malicious PDF file that redirects to an HTML file, which in turn executes the Freeze[.]rs injector and other malware. Notably, the chain of attack culminates in the deployment of the XWorm malware, capable of carrying out various malicious activities, including ransomware deployment and acting as a persistent backdoor. The investigation also revealed the involvement of the SYK Crypter, a tool frequently used to distribute malware families via the Discord chat platform.

Technical Analysis of the Attack Chain

FortiGuard Labs conducted a detailed analysis of the attack chain and found that the encoded algorithms and API names traced the origin of the Freeze[.]rs injector back to the Red Team tool “Freeze.rs,” created specifically for crafting payloads that can evade EDR security measures. The attack chain begins with a booby-trapped PDF file that utilizes the “search-ms” protocol to deliver the payload. This protocol leverages Windows Explorer to redirect users to a remote server. By disguising a deceptive LNK file as a PDF icon, the attackers are able to deceive victims into thinking the file is legitimate and originating from their own system.

The Freeze[.]rs injector utilizes NT syscalls to inject shellcode, bypassing the standard calls that might be hooked in Kernel base dll. The attackers take advantage of the slight delay before an EDR system starts hooking and altering the assembly of system DLLs within a process. By creating a process in a suspended state, the attackers ensure minimal DLLs are loaded, and no EDR-specific DLLs are loaded, suggesting that the syscalls within Ntdll.dll remain unaltered.

The SYK Crypter, on the other hand, copies itself to the Startup folder for persistence, encrypts the configuration during encoding and decrypts it upon execution, and encrypts the compressed payload in the resource‎‎ for obfuscation. The attackers employ a multi-layered strategy involving encoding, string obfuscation, and payload encryption to make static analysis more challenging.

The Rising Phishing Threat

Phishing attacks continue to be a pervasive threat, with companies experiencing an increasing number of targeted attacks. In the past 12 months, 97% of companies have encountered at least one email phishing attack, and three-quarters expect significant costs from email-based attacks. Phishing attacks are becoming smarter and more targeted, adapting to new technology and user behavior. They now include mobile exploits, brand impersonation, and AI-generated content.

Defending Against Phishing Attacks

To mitigate the risks posed by phishing attacks, it is crucial for organizations to maintain up-to-date software, provide regular training to employees, and utilize advanced security tools. Keeping software up to date is essential because attackers often exploit known vulnerabilities in outdated software. Regular training helps employees recognize and report phishing emails, reducing the risk of falling victim to such attacks. Additionally, the use of advanced security tools, such as email filters and anti-phishing solutions, can help identify and block malicious emails.

The Effectiveness of Phishing Simulation Training

Research indicates that phishing simulation training is particularly effective for critical infrastructure organizations. These organizations have a higher success rate in training employees to correctly identify and report malicious emails. In fact, 66% of employees in critical infrastructure organizations correctly reported at least one real malicious email attack within a year of receiving training. This highlights the importance of investing in specific training programs tailored to the unique risks faced by different sectors.

In conclusion, the discovery of the Rust-based injector Freeze[.]rs being weaponized in a phishing campaign highlights the evolving sophistication of cyber attacks. Organizations must remain vigilant and adopt comprehensive security measures to defend against such threats. Regular software updates, employee training, and the use of advanced security tools are crucial in countering the mounting risk of phishing attacks.