Rewterz Threat Alert – New Open-Source Xeno RAT Emerges on GitHub as Severe Threat – Active IOCs

Severity

High

Analysis Summary

The emergence of the Xeno RAT on GitHub represents a significant development in the landscape of remote access trojans (RATs) given its intricate design and comprehensive feature set. Developed in C# and compatible with Windows 10 and Windows 11, Xeno RAT boasts capabilities such as a SOCKS5 reverse proxy and real-time audio recording alongside a hidden virtual network computing (hVNC) module akin to DarkVNC.

This open-source RAT crafted from scratch stands out for its unique approach and the provision of a builder tool facilitating the creation of customized malware variants. Such accessibility to sophisticated malware coupled with the developer’s track record exemplified by DiscordRAT 2.0 highlights the escalating threat posed by freely available and easily distributable RATs.

A recent report underscores the practical implications of this trend with observations of Xeno RAT distribution via the Discord content delivery network. The malware propagation involves a multi-stage process, initiated by a shortcut file masquerading as a WhatsApp screenshot. This downloader retrieves a ZIP archive from Discord CDN extracting and executing the subsequent payload, then leveraging the DLL side-loading technique for launching a malicious DLL. The malware establishes persistence and employs evasion tactics to thwart analysis and detection efforts. This modus operandi exemplifies the evolving sophistication and adaptability of malware campaigns, which exploit readily available tools and platforms for propagation and exploitation.

In parallel, the researchers highlight the emergence of Nood RAT, a Gh0st RAT variant targeting Linux systems. Nood RAT functions as a backdoor, facilitating various malicious activities upon receiving commands from its command and control (C&C) server. Despite its seemingly straightforward nature, Nood RAT incorporates encryption features to obfuscate network traffic, enhancing its stealth capabilities. The convergence of advanced features with relatively simple deployment underscores the versatility and effectiveness of RATs in facilitating cybercrime operations across diverse operating environments.

Overall, the proliferation of sophisticated RATs like Xeno RAT and the emergence of variants such as Nood RAT underscore the evolving threat landscape characterized by accessible and adaptable malware tools. As threat actors continue to leverage these resources for nefarious purposes, cybersecurity professionals face mounting challenges in detecting, mitigating, and combatting such threats effectively.

Impact

• Unauthorized Access
• Sensitive Information Theft
• File Manipulation

Indicators of Compromise

MD5

• 035f83018cf96f5e1f6817ccd39fc0b6
• b4910e998cf58da452f8151b71c868cb
• 4f3afdcfff8f7994b7d3d3fbaa6858b4
• a15ebd19cac42b0297858018da62b1be
• c440bd814be37fac669567131c4ba996
• 75838e5d481da40db2e235a6d5a222ef
• 905c2158fadfe31850766f010e149a0f
• 8457f71c6a5fe83bb513d1dfba99271a
• 35743db3dc333245ef5b69100721ced9
• 7d631e5b0c78805dd5d440cce788d25b
• 0a35e06f53c17ab1c8e18e7e0c0821d8
• d9f00f71efabdfcca7c63d4b0805673c

SHA-256

• 15f3536ac33588444cf6a632f17c74ee0ee8777d0d2166206222b4d5f66de715
• bf1b88385aebb37182421e967749f057fbefb4e4386bb47b5098abac7c70c476
• d17d964cacb063a6fe685d6e5e7dbc02c597de51b46c994f0aadb56c3bf96f13
• e5fb5a3b8663fbb2686caf88fdb3362115dc0f0bf9cc5d32d1e42c00aa6660b4
• b21f4039707eb4fc40ad1a7ed10be753ab3922c4a60bde819dcd74d44fef991d
• c830a233f716416e3754e46aa70e049d10989a48028f3879d425c3851c4dd761
• 7440a7b56d3670d4204a57974fa76ae76ca78168bb181640f565976d192cc159
• bf5ea570bf4d18e60dd758a2461fbdf73a500dbd179e458aca81d65b5d9155e1
• 3bff2c5bfc24fc99d925126ec6beb95d395a85bc736a395aaf4719c301cbbfd4
• 67e60fca3d28dcae09b74ffd62f5efe462700b6d2b3334d519e4caac55820df0
• 275d63587f3ac511d7cca5ff85af2914e74d8b68edd5a7a8a1609426d5b7f6a9
• 870d6c202fcc72088ff5d8e71cc0990777a7621851df10ba74d0e07d19174887

SHA-1

• 49481dd3c7316c8e924150798e87eee884193f3c
• 1afd03b91e73db0de7685af473530503bc9257ff
• fcf631e940f33641748f51cfaad1e5cc073e31f0
• 2897abd5ca0913756263a94462b0391ce092c2be
• 0c8842054e9aba008f964f395de64464115b8ba1
• 71449bdde94afd1fe10ad68743ceba67f0975f84
• 4d4bc836641840ad8b0873b07d31ce38732c4a28
• 7316b5cc2aac0390890f6819d90b7cd36359ca62
• fa681933eccc1b3cae4cce6ab6f16db08c2f2a87
• 1be33241473015788c11571ad3ab13ac82805da2
• 14fd16e6465b74c5ac4dc895f4c15bccb447af31
• 49c4aa2812535884bd9d3a564e7656dec150933a

Domain Name

• check.snapupdate.org
• update.kworker.net
• b.niupilao.vip

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Passwords – Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.