Our friends at FortiGuard Labs, recently detected a new injector written in Rust—one of the fastest-growing programming languages—to inject shellcode and introduce XWorm into a victim’s environment. While Rust is relatively uncommon in malware development, several campaigns have adopted this language since 2019, including Buer loader, Hive, and RansomExx. FortiGuard Labs analysis also revealed a significant increase in injector activity during May 2023, where the shellcode can be encoded with Base64 and can choose from encryption algorithms such as AES, RC4, or LZMA to evade antivirus detection. By examining the encoded algorithms and API names, we identified the origin of this new injector in the Red Team tool “Freeze.rs,” designed to create payloads able to bypass EDR security controls. Additionally, during our analysis of the attack, analyst discovered that SYK Crypter—a tool commonly used to deliver malware families via the community chat Discord—was involved in loading Remcos, a sophisticated remote access Trojan (RAT) that can be used to control and monitor devices running Windows. SYK Crypter emerged in 2022 and has been used by various malware families, including AsyncRAT, njRAT, QuasarRAT, WarzoneRAT, and NanoCore RAT.[1]
Link to full report: IR-23-249-001_Rust.pdf
[1] https://www.fortinet.com/blog/threat-research/malware-distributed-via-freezers-and-syk-crypter/
Comments