Rust-Based Injector Deploys XWorm and Remcos RAT in Multi-Stage Attack

• Rust Injector Emergence: A novel Rust-based injector has emerged, facilitating the deployment of the XWorm malware and Remcos RAT.
• Multi-Stage Attack: The attack follows a sophisticated multi-stage process involving phishing emails, redirection to malicious files, and the execution of PowerShell scripts.
• Innovative Tool Adoption: Cybercriminals leverage the Red Team tool “Freeze.rs” and SYK Crypter to bypass security controls and deliver malicious payloads.
• Global Impact: The C2 server traffic analysis reveals that the attack primarily targets Europe and North America, showcasing its global reach.
• Threat Evolution: The findings underscore the evolving nature of cyber threats, highlighting the need for enhanced vigilance against advanced attack techniques.

In a recent cybersecurity revelation, FortiGuard Labs has detected a surge in cyberattacks utilizing a new injector written in Rust, one of the fastest-growing programming languages.

Rust, while uncommon in malware development, has been increasingly adopted by malicious actors since 2019. This discovery sheds light on the evolving tactics of cybercriminals and their ability to innovate with new tools and techniques.

Rust Injector Emergence

The newly discovered Rust injector has been identified as a platform to introduce the XWorm malware into victims’ systems. FortiGuard Labs’ analysis reveals an unprecedented spike in injector activity during May 2023, suggesting a significant shift in cybercriminal strategy. This Rust-based injector is designed to inject shellcode and deploy XWorm, a remote access Trojan (RAT) known for its comprehensive control and monitoring capabilities.

Sophisticated Attack Chain

The attack begins with a phishing email campaign that purports to be an urgent order supplement request sent to various companies. This clever social engineering technique is accompanied by a malicious PDF file that redirects victims to an HTML file, leveraging the “search-ms” protocol to access an LNK file on a remote server.

Once the LNK file is executed, a PowerShell script initiates the deployment of the Rust injector “Freeze.rs” and the SYK Crypter, a tool used to deliver various malware families. The ultimate goal is to load the XWorm RAT and establish communication with a command and control (C2) server.

Freeze.rs and SYK Crypter Nexus

FortiGuard Labs’ detailed analysis traced the origin of the new injector to the Red Team tool “Freeze.rs.” This tool is designed to create payloads capable of bypassing Endpoint Detection and Response (EDR) security controls, highlighting the increasingly sophisticated methods employed by cybercriminals.

Furthermore, the involvement of SYK Crypter, a tool commonly used to deliver malware families via the Discord chat platform, further exemplifies the collaborative and evolving nature of cybercriminal operations.

Multi-Stage Infection Process

The attack’s multi-stage infection process involves a series of intricate manoeuvres to evade detection and establish control. The malicious code employs various encryption algorithms, such as AES, RC4, or LZMA, to obfuscate its intent and evade antivirus detection. This flexibility in encryption methods adds a layer of complexity to the malicious payload.

XWorm and Remcos Collaboration

Once successfully injected, the XWorm RAT, a commodity tool traded on underground forums, collaborates with Remcos RAT, a sophisticated remote access Trojan. Together, they create a formidable threat with capabilities ranging from gathering device information and capturing screenshots to logging keystrokes and gaining comprehensive control over compromised systems.

Global Implications

FortiGuard Labs’ analysis of the C2 server’s traffic reveals Europe and North America as primary targets of this malicious campaign. The attackers’ utilization of sophisticated techniques, such as the “search-ms” feature and the Rust injector “Freeze.rs,” underscores the need for heightened vigilance in handling suspicious emails and files.

In conclusion, the cyber threat landscape continues to evolve, with cyber criminals adopting innovative tactics and tools to infiltrate and compromise systems. FortiGuard Labs’ recent findings shed light on the emergence of Rust-based injectors and their role in deploying sophisticated malware payloads like XWorm and Remcos.

RELATED ARTICLES

1. P2PInfect: Self-Replicating Worm Hits Redis Instances
2. Retired Software Exploited To Target Power Grids, Microsoft
3. Phishers Exploiting Google Docs to Harvest Crypto Credentials
4. Hackers Abusing MS Dynamics 365 Customer Voice to Steal Data
5. Russian Midnight Blizzard Hackers Hit MS Teams in Precision Attack