A Rust-based injector named Freeze[.]rs, originally created by Optive as an open-source red teaming tool, is now being used by threat actors to spread a commodity malware called XWorm, The Hacker News reports.
Fortinet FortiGuard Labs says the novel attack chain that exploits this injector starts off with a phishing email containing a booby-trapped PDF file. Freeze[.]rs reportedly uses various tactics to not only remove Userland endpoint detection and response hooks, but also executes shellcode in a manner that can undermine other endpoint monitoring controls.
This attack chain can also spread the Remcos RAT by using a crypter called SYK Crypter, which is known to be "persistent, features multiple layers of obfuscation, and uses polymorphism to maintain its ability to avoid detection by security solutions," said Morphisec researcher Hido Cohen.
SYK Crypter is a tool that has been used to deliver a wide range of malware families, including RedLine Stealer, NanoCore RAT, AsyncRAT, QuasarRAT, njRAT and Warzone RAT.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds