Summary:
This article discusses a recent deployment of the XenoRAT malware, which has shifted its delivery method to Excel XLL files, utilizing the Excel-DNA framework and enhanced protection through ConfuserEx. This change indicates a broader targeting strategy aimed at enterprise networks rather than individual users. The analysis highlights the need for vigilance against evolving tactics in malware deployment.
#XenoRAT #ExcelMalware #ThreatAdaptation
This article discusses a recent deployment of the XenoRAT malware, which has shifted its delivery method to Excel XLL files, utilizing the Excel-DNA framework and enhanced protection through ConfuserEx. This change indicates a broader targeting strategy aimed at enterprise networks rather than individual users. The analysis highlights the need for vigilance against evolving tactics in malware deployment.
#XenoRAT #ExcelMalware #ThreatAdaptation
Keypoints:
- Unusual Delivery Tactic: XenoRAT was deployed through Excel XLL files, marking a departure from previously seen delivery vectors.
- Enhanced Protection: ConfuserEx adds a layer of protection, making the malware more challenging to detect and analyze.
- Expanded Target Potential: This method suggests an increased focus on gaining access to enterprise networks, moving beyond XenoRAT’s typical focus on individual users.
- XenoRAT is an open-source remote access tool (RAT) coded in C# and hosted on GitHub.
- The sample “Payment_Details.xll” serves as a dropper for XenoRAT and another remote access tool.
- Obfuscation techniques are employed to conceal the malware’s true functionality and evade detection.
- The identified C2 IP address is 87.120.116[.]115, communicating over TCP port 1391.
- Monitoring of less commonly used file extensions is recommended to counter evolving threats.
MITRE Techniques:
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Obfuscated Files or Information (T1027): Employs obfuscation techniques to conceal the true functionality of the malware.
- Remote Access Tools (T1219): Utilizes remote access tools to gain control over compromised systems.
- Exploitation of Remote Services (T1210): Exploits remote services to gain unauthorized access to systems.
IoC:
- [IP Address] 87.120.116[.]115
- [File Name] Payment_Details.gz.zip
- [File Hash] SHA-256: 7fddca3e05425b8ec73f701334a57532f9b6bc626f8402de5135de91b8a0b59e
- [File Name] Payment_Details.xll
- [File Hash] SHA-256: 48a60db5241e6ecadbb9705ed014ba58ea9608d5ae0264db04fe70201fd1b152
- [File Name] Pago.pdf
- [File Hash] SHA-256: 7a0e40d4c39eae8f7415cb44504e04c1baf41f57e797308f026409c7353ed03dc
- [File Name] cfgdf.bat
- [File Hash] SHA-256: 18abc987c2a04a7c576d7a5c86588467cbf6cc2bb15eadbc60c0336e2fff11d8
- [File Name] cvghfy.sfx.exe
- [File Hash] SHA-256: 72722737a28ed8371130b181f99a12bd7f43b9cb9043e7a1257c08394e57e17bc
- [File Name] cvghfy.exe
- [File Hash] SHA-256: 46affe6213f26e1a5446134c994e14d3f3f500e3c88f7867e3102c4b171cead1
- [File Name] Original.exe
- [File Hash] SHA-256: 18aa15aaf6886e277aea1333b546be83a56bccdfa7a64ce5243ebed2dd2541fb
Full Research: https://hunt.io/blog/xenorat-excel-xll-confuserex-as-access-method