One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8340743 |
| Date de publication | 2023-05-30 22:00:00 (vue: 2023-05-31 05:06:44) |
| Titre | Rat Seroxen à vendre SeroXen RAT for sale |
| Texte | This blog was jointly written with Alejandro Prada and Ofer Caspi.
Executive summary
SeroXen is a new Remote Access Trojan (RAT) that showed up in late 2022 and is becoming more popular in 2023. Advertised as a legitimate tool that gives access to your computers undetected, it is being sold for only $30 for a monthly license or $60 for a lifetime bundle, making it accessible.
Key takeaways:
SeroXen is a fileless RAT, performing well at evading detections on static and dynamic analysis.
The malware combines several open-source projects to improve its capabilities. It is a combination of Quasar RAT, r77-rootkit and the command line NirCmd.
Hundreds of samples have shown up since its creation, being most popular in the gaming community. It is only a matter of time before it is used to target companies instead of individual users.
Analysis
Quasar RAT is a legitimate open-source remote administration tool. It is offered on github page to provide user support or employee monitoring. It has been historically associated with malicious activity performed by threat actors, APT groups (like in this Mandiant report from 2017), or government attacks (in this report by Unit42 in 2017).
It was first released in July 2014 as “xRAT” and renamed to “Quasar” in August 2015. Since then, there have been released updates to the code until v1.4.1 in March 2023, which is the most current version. As an open-source RAT tool with updates 9 years after its creation, it is no surprise that it continues to be a common tool used by itself or combined with other payloads by threat actors up to this day.
In a review of the most recent samples, a new Quasar variant was observed by Alien Labs in the wild: SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT. They’re selling it for monthly or lifetime fee. Figure 1 contains some of the features advertised on their website.
Figure 1. SeroXen features announced on its website.
This new RAT first showed up on a Twitter account, established in September 2022. The person advertising the RAT appeared to be an English-speaking teenager. The same Twitter handle published a review of the RAT on YouTube. The video approached the review from an attacking/Red Team point of view, encouraging people to buy the tool because it is worth the money. They were claiming to be a reseller of the tool.
In December 2022, a specific domain was registered to market/sell the tool, seroxen[.]com. The RAT was distributed via a monthly license for $30 USD or a lifetime license of $60 USD. It was around that time that the malware was first observed in the wild, appearing with 0 detections on VirusTotal.
After a few months, on the 1st of February, the YouTuber CyberSec Zaado published a video alerting the community about the capabilities of the RAT from a defensive perspective. In late February, the RAT was advertised on social media platforms such as TikTok, Twitter, YouTube, and several cracking forums, including hackforums. There were some conversations on gaming forums complaining about being infected by malware after downloading some video games. The artifacts described by the users matched with SeroXen RAT.
The threat actor updated the domain name to seroxen[.]net by the end of March. This domain name was registered on March 27th |
| Envoyé | Oui |
| Condensat | $30 $60 $sxr $sxrconfig “amsi “c: “ntdll the 001 001: 002: 003: 005: 1st 2014 2015 2017 2022 2023 2027619: 2035595: 27th 8ace121fae472cc7ce896c91a3f1743d5ccc8a389bc3152578c4782171c69e87 abort about above abuse access access accessible account activities activity actor actors added adding addition additional additions administration advantageous advertised advertising aes after aiding alejandro alerting alien all allows almost also always amsi amsiscanbuffer” analysis analyze and/or announced another anti antivirus antiviruses any appearance appeared appearing appears application approached apt are around arrays artifacts artifacts assemblies: assembly associated asyncrat att&ck attack attackers attacking/red attacks attribution august automatically autostart available avoid base64 based bat batch because becoming been before behind being below: benign between binaries binary binary’s bit blog boot both branch browsers bsod built bundle but buy bypass bypass: bypassing byte bytes c&c called callee can capabilities capture carries carrying case caspi cert certain certificate channel channel: cheat checks child childproc32 childproc64 childprocesslistener: choose claiming clean” closely cloudflare cnc code code’s collection com combination combined combines command commands common commonly communicating communication communications community companies compilation complaining components compression computers conclusion config configurable configuration contained containing contains contents continue continues control control controlpipelistener: controls conversations copy corresponds costura cracking create created creates creating creation credential credentials credentials crowdsourced cryptography csstub2 current currently cybersec data day debugger debuggers debugging decade december decommissioned decompress decompressed decompresses decompression decrypt decrypted decryption decryptions decrypts defense defensive delay deletes delivered dependencies deploy described description desktop detach detaches details detect detection detections develop developer difficult directories directories discord discovery disk distributed distribution dll dll” dllhost documentation domain domains done downloading drop dropped due during dynamic eases edr efficient elaborated elevation elusive embed embedded employee employs enables encoded encouraging encrypted encryption end endpoint english entities entities: entry enumerates environments escalation established etc evade evading evasion evasion evasion: example exe executable execute executed executes execution execution executive external extraction extracts fail family features features: february fee figure file fileless files files final findings first flow folder folder followed following following mitre for: form format formidable fortnite forums found found: foundation free fresh from fully function functionalities functions game games gaming generic github gives godaddy going government groups guideline gzip hackforums had handle hard hardens harder has hash have heavily hidden hide hiding historically hkey hollowing hook hooking hooking: hooks hosting hundreds identify ids illicit improve include including indicator indicators individual infected information infrastructure ingress inject injected injection injection: injections injector injects inline input installstager instead instrumentation intelligence interpreter invoke invoking iocs ipv4 ipv6 its itself jointly july keeps key keylogging keys keys/values kicks labs landscape large late later lateralmovement launched layer lead leads legitimate leveraging license lifetime like line list listed listener load loading loads local locate location logical logon looking looks low lure machine mail main make makes making malicious malware management mandiant manufacturer mapped march market/sell marketing matched matrix techniques: matter |
| Tags | Malware Tool Threat |
| Stories | Uber APT 10 |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.