SeroXen RAT
The cybercriminal community has adopted a stealthy Remote Access Trojan (RAT) named 'SeroXen' increasingly due to its powerful capabilities and ability to evade detection.
According to reports from AT&T, the malware is being deceptively marketed as a legitimate remote access tool for Windows 11 and 10. It is offered for a monthly subscription fee of $15 or a one-time "lifetime" license payment of $60. Despite being presented as a legitimate tool, SeroXen is actually being promoted as a Remote Access Trojan on hacking forums. The identities of the individuals behind these promotions, whether they are actual developers or unscrupulous resellers, remain uncertain.
Table of Contents
The SeroXen RAT is Gaining Traction among Cybercriminals
The affordable price point of the SeroXen remote access program has made it accessible to a wide range of threat actors. AT&T has identified numerous samples of SeroXen since its emergence in September 2022, and the activity surrounding it has recently intensified.
While the primary targets of SeroXen have been individuals within the gaming community, there is a growing concern that as the tool's popularity expands, it also may be employed to target larger entities, such as prominent companies and organizations.
The rising popularity of SeroXen among cybercriminals can be attributed to its low detection rates and its potent capabilities. Its deceptive guise as a legitimate Remote Access Tool has made it an attractive choice for threat actors. To mitigate the risks associated with this Remote Access Trojan, it is imperative for individuals and organizations to remain vigilant and implement robust security measures.
The SeroXen RAT is Developed from Various Open-Source Projects
SeroXen draws upon several open-source projects, including the Quasar RAT, the r77 rootkit, and the NirCmd command line tool. The SeroXen developer has cleverly utilized a combination of these freely available resources to create a RAT that is challenging to detect through both static and dynamic analysis.
The Quasar RAT, which has been in existence for nearly a decade since its initial release in 2014, serves as the foundation for the SeroXen RAT. It provides a lightweight Remote Administration Tool with the latest version, 1.41, incorporating features such as reverse proxy, remote shell, remote desktop, TLS communication, and a file management system. It is openly accessible on GitHub.
To expand its capabilities, the SeroXen RAT employs the r77 (Ring 3) rootkit. This open-source rootkit offers functionality such as file-less persistence, hooking of child processes, malware embedding, in-memory process injection, and evasion of anti-malware detection. SeroXen also integrates the NirCmd utility. NirCmd is a freeware tool that facilitates simple management tasks for Windows systems and peripherals through command-line execution.
Analysis of SeroXen RAT’s Attacks
Various attack vectors have been employed to distribute SeroXen, including phishing emails and Discord channels utilized by cybercriminals. These actors distribute ZIP archives containing heavily obfuscated batch files.
Upon extraction, the batch file decodes a base64 encoded text to extract two binaries. These binaries are then loaded into memory using .NET reflection. The modified version of msconfig.exe, necessary for executing the malware, is the only file that interacts with the disk. It is temporarily stored in the 'C:\Windows \System32V directory (notice the extra space), which is short-lived and deleted after the program installation process.
The batch file serves as a vehicle to deploy the 'InstallStager.exe' payload, a variant of the r77 rootkit. To maintain stealth and persistence, the rootkit is obfuscated and stored in the Windows registry. Subsequently, it is activated using PowerShell through the Task Scheduler, injecting itself into the "winlogon.exe" process.
Through this injection, the r77 rootkit introduces the SeroXen RAT into the system's memory, ensuring its covert presence and enabling remote access to the compromised device. Once the remote access malware is launched, it establishes communication with a Command and Control server, awaiting commands from the attackers.
Analysis reveals that SeroXen employs the same TLS certificate as the Quasar RAT, and it inherits most of the capabilities from the original project. These capabilities encompass support for TCP network streams, efficient network serialization, and QuickLZ compression.
Cybersecurity researchers warn that the increasing popularity of SeroXen could lead to a potential shift in focus from targeting gamers to targeting larger organizations. To assist network defenders in combating this threat, organizations should take precautions against the threat. There are valuable resources for identifying and mitigating the presence of SeroXen within networks, enabling defenders to enhance their cybersecurity measures and protect against potential attacks.
