The stealthy SeroXen RAT is available as a legit RAT for Windows 11 and 10 just for $15-$30 per month, and for $60, buyers get a lifetime license.
A fileless RAT (remote access trojan) has become the preferred tool for cybercriminals to target gamers. Dubbed SeroXen, the malware is distributed as a legit program on hacker forums and social media outlets, as per a report from AT&T.
Analysing SeroXen RAT:
SeroXen RAT has excellent detection evasion capabilities on static and dynamic analysis. Since it results from a combination of different open-source projects, including r77-rootkit, Quasar RAT, and NirCmd, its capabilities get further enhanced, making it a powerful RAT.
For your information, Quasar RAT is a lightweight remote administration tool discovered in 2014 and available on GitHub for free. Quasar’s latest version (1.41) features a variety of functions such as remote desktop, reverse proxy, TLS communication, remote shell, and a file management system.
Conversely, the open-source r77 rootkit also features fileless persistence, in-memory process injection, malware embedding, child process hooking, and antivirus evasion capabilities. NirCmd, a freeware utility, can only carry out Windows system management tasks from the command line.
How Is It Delivered?
SeroXen RAT is delivered either via phishing emails or Discord channels. The attack scenario involves downloading a ZIP file and a hidden batch file. This file is automatically executed, and after several steps, the final payload is eventually installed as two .NET arrays. One of these is a rootkit, having versatile capabilities such as fileless persistence, EDR evasion, in-memory process injection, and function hooking.
A Low-Cost RAT Targeting Gaming Community
The stealthy SeroXen malware is available as a legit RAT for Windows 11 and 10 just for $15-$30 per month, and for $60, buyers get a lifetime license. This RAT could be very attractive for threat actors at such a low cost.
It is still unclear whether those offering the malware for sale are developers or resellers of SeroXen. Nonetheless, according to AT&T’s blog post, the company analyzed hundreds of samples since the malware first surfaced in September 2022, and the gaming community is mostly the target.
However, attackers may expand the scope of attack given the easy availability and low cost of SeroXen. Watch as CyberSec Zaado, a cybersecurity researcher, exposes the SeroXen RAT and alerts the community about its capabilities from a defensive perspective.
SeroXen- An Undetectable RAT?
Researchers noted that, at the moment, no antimalware tools can detect this malware, which is why researchers referred to it as a “fully undetectable version.”
“Since the RAT is packaged into an obfuscated PowerShell batch file. The file’s size typically ranges between 12-14 megabytes, as we can see in sample 8ace121fae472cc7ce896c91a3f1743d5ccc8a389bc3152578c4782171c69e87 uploaded to VT on May 21. Due to its relatively large size, certain antivirus may choose not to analyze it, potentially bypassing detection,” AT&T Alien Lab’s report read.
The sample analyzed by AT&T researchers had 0 detections on Virus Total, while some crowdsourced Sigma Rules detected it as suspicious activity. However, given that it is a lifeless malware that executes in memory after undergoing numerous decompression and decryption routines, it is hard for antivirus solutions to detect it.
Moreover, SeroXen’s toolkit loads a new copy of ntdll.dll, making it even harder to detect the malware through EDR (endpoint detection & response) solutions.