Introduction

Cybersecurity researchers have recently warned of a new attack alert in which malicious actors are weaponizing a legitimate Rust-based injector called Freeze[.]rs to deploy the commodity malware XWorm in victim environments.

The novel attack chain, detected by Fortinet FortiGuard Labs on July 13, 2023, is initiated via a phishing email containing a booby-trapped PDF file. Once the PDF file is opened, it redirects to an HTML file that utilizes the search-ms protocol to access an LNK file on a remote server. Upon clicking the LNK file, a PowerShell script executes Freeze[.]rs and SYK Crypter for further offensive actions.

What is Freeze[.]rs?

Freeze[.]rs is an open-source red teaming tool from Optiv that functions as a payload creation tool used for circumventing security solutions and executing shellcode in a stealthy manner. It is a legitimate tool that can be used for legitimate purposes, but it can also be used for malicious purposes by cybercriminals.

What is XWorm?

XWorm is a commodity malware that is often used in botnets. It is a relatively simple malware that can be easily spread through phishing emails and drive-by downloads. Once XWorm is installed on a victim’s computer, it can steal sensitive data, such as passwords and credit card numbers, and send it back to the attacker.

How does the attack work?

The attack begins with a phishing email that contains a booby-trapped PDF file. The PDF file is designed to look like a legitimate document, but it actually contains malicious code. When the PDF file is opened, it redirects to an HTML file that utilizes the search-ms protocol to access an LNK file on a remote server. The LNK file contains a PowerShell script that executes Freeze[.]rs and SYK Crypter.

Freeze[.]rs is used to inject the XWorm malware into a legitimate process on the victim’s computer. SYK Crypter is used to encrypt the XWorm malware so that it cannot be easily detected by antivirus software.

Once the XWorm malware is injected into a legitimate process, it can begin to steal sensitive data from the victim’s computer. The XWorm malware can also be used to control the victim’s computer remotely, which can allow the attacker to launch other attacks or steal additional data.

How can you protect yourself from this attack?

There are a number of things you can do to protect yourself from this attack, including:

• Be careful about opening emails from unknown senders. If you do open an email from an unknown sender, be careful about clicking on any links or attachments.
• Keep your software up to date. Software updates often include security patches that can help to protect your computer from known vulnerabilities.
• Use a strong password manager. A password manager can help you to create and store strong passwords for all of your online accounts.
• Be aware of the latest cyber threats. Stay up-to-date on the latest cyber threats so that you can take steps to protect yourself.
• Provide security awareness training to employees: Gladius & Schild can train employees on how to identify and avoid phishing emails and other social engineering attacks.
• Implement a layered security approach: Gladius & Schild can help businesses implement a layered security approach that includes firewalls, intrusion detection systems, and antivirus software.
• Maintain 24/7 monitoring and response: Gladius & Schild can monitor businesses’ networks for suspicious activity and respond to incidents quickly and effectively.
• Conduct regular security assessments: Gladius & Schild can conduct regular security assessments to identify and address vulnerabilities in businesses’ systems.

Conclusion

The new attack alert involving Freeze[.]rs Injector and XWorm malware is a reminder that cybercriminals are constantly evolving their techniques. It is important to be aware of the latest cyber threats and to take steps to protect yourself from attack.

If you need help with cyber security, contact Gladius & Schild today. We can help you to assess your current security posture and implement the necessary measures to protect your business from cyber attacks.