Cybercriminals have been discovered using a new attack chain to deploy malicious software named XWORM, utilizing the legitimate RUST-engineer Freeze.rs. The malicious operation was found by specialists at Fortiguard Labs on July 13, 2023.
According to experts, the attack initiates with a phishing email containing a malicious PDF file. Upon opening, this file redirects the victim to an HTML file that employs the Search-Ms protocol to access the LNK file stored on a remote server. It should be noted that this LNK file is essentially a usual label with the prescribed launch parameter. The PowerShell script within the malicious label is then executed, which triggers the launching of Freeze.rs and Syk Crypter injectors for further malicious activities.
Freeze.rs, which was released in May of this year, is a legitimate hacking tool designed for bypassing protection mechanisms and ensuring inconspicuous execution of shell code. It can be downloaded from its official repository on GitHub.
Syk Crypter, on the other hand, is utilized to distribute various types of malware, including Asyncrat, Nanocore Rat, NJrat, Quasarrat, Redline Stealer, and Warzone Rat (also known as Ave Maria). The Syk Crypter platform incorporates several key components such as .NET execution, .NET classes, and programming language compilers.
The .NET framework is widely employed to develop a diverse range of applications, including desktop, web, and mobile applications, as well as games and web servers’ services.