By Cara Lin | August 09, 2023
Affected platforms: Windows
Impacted parties: Any organization
Impact: Controls victim’s device and collects sensitive information
Severity level: Critical
FortiGuard Labs recently detected a new injector written in Rust—one of the fastest-growing programming languages—to inject shellcode and introduce XWorm into a victim’s environment. While Rust is relatively uncommon in malware development, several campaigns have adopted this language since 2019, including Buer loader, Hive, and RansomExx. FortiGuard Labs analysis also revealed a significant increase in injector activity during May 2023, where the shellcode can be encoded with Base64 and can choose from encryption algorithms such as AES, RC4, or LZMA to evade antivirus detection.
By examining the encoded algorithms and API names, we identified the origin of this new injector in the Red Team tool “Freeze.rs,” designed to create payloads able to bypass EDR security controls. Additionally, during our analysis of the attack, we discovered that SYK Crypter—a tool commonly used to deliver malware families via the community chat Discord—was involved in loading Remcos, a sophisticated remote access Trojan (RAT) that can be used to control and monitor devices running Windows. SYK Crypter emerged in 2022 and has been used by various malware families, including AsyncRAT, njRAT, QuasarRAT, WarzoneRAT, and NanoCore RAT.
FortiGuard Labs observed phishing email activity on July 13 that initiated an attack chain using a malicious PDF file. This file redirects to an HTML file and utilizes the “search-ms” protocol to access an LNK file on a remote server. Upon clicking the LNK file, a PowerShell script executes Freeze.rs and SYK Crypter for further offensive actions. Eventually, XWorm and Remcos are loaded, and communication with the C2 server is established.
In this article, we will delve into the initial attack method employed to deliver the Rust-lang injector, SYK Crypter, and further explore the subsequent stages of the attack.
