Cybersecurity

The Rise of Rust in Malware: A Deep Dive into Freeze.rs and SYK Crypter

By TFH,

Published on Aug 11, 2023   —   5 min read

Cybersecurity is a field that demands constant vigilance due to the continuous emergence of new threats and the development of innovative solutions to counter them. One such area of interest is the use of programming languages in malware creation. In this context, FortiGuard Labs has recently shed light on a noteworthy trend: the adoption of the Rust programming language for malware development. This article will explore their findings, particularly the introduction of tools like "Freeze.rs" and "SYK Crypter" that have been instrumental in this shift. Join us as we delve deeper into this topic and understand its implications for the cybersecurity community.

Understanding the Threat

In the vast landscape of cybersecurity, the methods employed by threat actors to distribute malware are constantly evolving. FortiGuard Labs, known for its cutting-edge research in this domain, has recently unveiled a novel malware distribution mechanism that stands out due to its unique approach.

Central to this technique is an injector developed using Rust, a programming language that has been gaining traction rapidly in various tech sectors. Rust's performance, safety, and concurrency features make it a preferred choice for many developers. However, its adoption in the realm of malware showcases the adaptability and innovation of cyber adversaries.

The primary purpose of this Rust-based injector is to seamlessly introduce the XWorm malware into unsuspecting victims' systems. XWorm, once embedded, can wreak havoc, compromise data, and provide unauthorized access to the infected system.

Digging deeper into the origins of this injector, it's linked to a Red Team tool named "Freeze.rs." For those unfamiliar, Red Teams are groups that emulate cyber adversaries to test the defenses of an organization. Tools like "Freeze.rs" are designed to assist in these simulations. Specifically, "Freeze.rs" is adept at crafting payloads that can skillfully bypass EDR (Endpoint Detection and Response) security controls. EDR solutions are designed to identify and mitigate threats on endpoint devices, so crafting a payload that can bypass such a system is no small feat.

The plot thickens further. During FortiGuard Labs' meticulous investigation, another tool came into the spotlight: the SYK Crypter. This tool was identified as the mechanism used to deploy Remcos, an exceptionally potent remote access Trojan (RAT). Remcos stands out in the world of RATs due to its capabilities. It's not just about gaining unauthorized access; Remcos can exert extensive control over and monitor Windows devices, making it a formidable threat.

In summary, the combination of Rust's growing popularity, the capabilities of "Freeze.rs," and the deployment of Remcos via SYK Crypter paints a picture of a sophisticated and multi-layered threat landscape. It underscores the importance of continuous research, awareness, and preparedness in the face of evolving cyber threats.

The Phishing Campaign:

Phishing campaigns, a long-standing tool in the arsenal of cyber adversaries, have evolved in complexity and deceit over the years. FortiGuard Labs' recent observations provide a glimpse into the sophistication of modern-day phishing strategies.

On the 13th of July, the vigilant eyes at FortiGuard Labs identified a seemingly innocuous email. However, upon closer inspection, this email was anything but ordinary. It was the starting point of a meticulously crafted phishing campaign designed to ensnare unsuspecting victims.

Central to this email was an attached PDF file. To the untrained eye, it might appear as just another document. But in reality, this PDF was a trojan horse. Once opened, it didn't display the expected content. Instead, it redirected users to an external HTML file. This redirection technique is a clever way to bypass some traditional security measures, as the malicious content isn't directly housed within the email or the PDF.

The HTML file, in turn, had another trick up its sleeve. It utilized the "search-ms" protocol, a legitimate Windows search protocol, in a malicious manner. By leveraging this protocol, the HTML file could access a remote LNK file. LNK files, commonly known as shortcuts in the Windows environment, can execute various commands or scripts when activated.

The unsuspecting user, thinking they're accessing a legitimate file or resource, might click on this LNK file. This action is the final piece of the attacker's puzzle. Upon activation, the LNK file executes a PowerShell script, a powerful scripting language native to Windows. This script serves as the bridge to the malicious tools, Freeze.rs and SYK Crypter, activating them and setting the stage for the main act.

With everything in place, the XWorm malware and the Remcos RAT are loaded onto the victim's system. These malicious tools then establish a connection with a Command and Control (C2) server, giving the attacker unauthorized access and control over the infected device.

In essence, what started as a simple email spiraled into a multi-stage attack, showcasing the lengths to which cybercriminals will go to compromise systems. It's a stark reminder of the importance of vigilance and the continuous need for cybersecurity education and awareness.

Deep Dive into Key Takeaways

  1. Rust's Growing Popularity in Malware:
  • Emergence of Rust in Cybersecurity: Rust, traditionally celebrated for its memory safety features and performance, is now making waves in a rather unexpected domain: malware development. Its versatility and robustness have caught the attention of cyber adversaries looking for new avenues to exploit.
  • Significance of "Freeze.rs": The development of tools like "Freeze.rs" in Rust is a testament to the language's growing influence in the cyber threat landscape. Such tools, designed to bypass advanced security measures, are indicative of the lengths attackers are willing to go to ensure their malware remains undetected.
  • Implications for the Future: With Rust's adoption in malware showing no signs of slowing down, cybersecurity professionals must familiarize themselves with the intricacies of the language to better anticipate and counteract threats.

2. The Role of Phishing:

  • Deceptive Simplicity: Phishing campaigns have long been a staple in the cyber attacker's toolkit. The use of a seemingly benign PDF file in the recent campaign underscores the deceptive simplicity with which attackers can initiate a breach.
  • Trust No Attachment: Even if an email attachment, like a PDF, appears to come from a known contact or looks legitimate, it's crucial to approach it with caution. Verifying the source and scanning attachments before opening can prevent potential breaches.
  • Evolving Tactics: The sophistication of this phishing attempt, from the use of a redirecting PDF to a malicious HTML file, highlights the evolving tactics of cyber adversaries. It's a reminder that phishing isn't just about deceptive emails but can involve a series of layered threats.

3. Complex Attack Chains:

  • Multi-layered Threats: Modern cyberattacks are rarely straightforward. The recent campaign, which combined the "search-ms" protocol, an LNK file, and a PowerShell script, is a prime example of the multi-layered threats organizations face today.
  • The Role of SYK Crypter: Tools like SYK Crypter, which can deploy potent threats like the Remcos RAT, play a pivotal role in these complex attack chains. Their ability to load and execute malicious payloads makes them invaluable to attackers.
  • Staying Ahead: Understanding the intricacies of these complex attack chains is vital for cybersecurity professionals. By dissecting and analyzing each step, they can develop strategies to intercept and neutralize threats before they cause harm.

Conclusion

In today's dynamic cybersecurity landscape, understanding the nuances of emerging threats is more crucial than ever. The rise of Rust in malware development, the deceptive simplicity of phishing campaigns, and the intricacies of multi-layered attack chains all underscore the sophistication and adaptability of modern cyber adversaries. As these threats evolve, so too must our strategies and defenses. By staying informed, continuously updating our knowledge, and fostering a proactive approach to cybersecurity, we can better anticipate potential risks and safeguard our digital ecosystems. The insights provided by FortiGuard Labs serve as a valuable reminder of the challenges we face and the importance of vigilance in the digital age.

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.

Subscribe