A newly identified, sophisticated malware coded in C# has emerged. Dubbed Xeno RAT, this malware boasts advanced features such as evasion tactics, payload generation, and an additional layer of threat due to its open-source availability on GitHub.
Furthermore, Xeno RAT employs process injection, obfuscation, anti-debugging mechanisms, and various other techniques, enhancing its complexity and making detection a formidable challenge.
The key threat vector employed by this malware involves the utilization of a Shortcut file and a multi-stage payload downloader.
For in-depth analysis of malware files, network traffic, module behavior, and registry activity, utilize the ANY.RUN malware sandbox. Additionally, leverage the Threat Intelligence Lookup feature to directly interact with the operating system from your browser.
Xeno RAT
Xeno RAT is a type of remote access trojan (RAT) that allows unauthorized users to gain control over a victim’s computer remotely. It is known for its sophisticated capabilities, including evasion techniques, payload generation, and open-source availability on platforms like GitHub.
It employs various advanced techniques such as process injection, obfuscation, anti-debugging mechanisms, and communication with command and control (C2) servers to make detection and analysis challenging for security researchers.
As per the reports disclosed to Cyber Security News, this malware was originally distributed in the form of a shortcut file (.lnk) named “WhatsApp_2023-12-12_12-59-06-18264122612_DCIM.png.lnk”.
The LNK file functions as a downloader, leveraging the Windows Command Shell to fetch and execute the payload from a ZIP archive hosted at the Discord CDN URL.
The LNK file contains obfuscated command-line arguments pointing to two shortened URLs. These URLs retrieve two files from the Discord CDN server: one benign file and one payload ZIP archive. Upon download, the ZIP archive is extracted in the directory “C:\Users\user\AppData\Roaming\Adobe\Drivers”.
The ZIP archive contains three files: two portable executable files with the extensions EXE and DLL, and a third file named LICENSE, whose purpose is unknown.
The EXE file is identified as ADExplorer.exe, a Windows Sysinternals tool designed for viewing and editing Active Directory configurations.
The DLL file, named samcli.dll, serves as the malicious payload, masquerading as the legitimate “Security Accounts Manager Client DLL.”
While the DLL file bears a signature, it is not verified. The LICENSE file contains obfuscated text with read/write permissions.
Second Stage Execution
In this stage, the remaining commands in the LNK file launch ADExplorer.exe without prompts. This executable utilizes the samcli.dll for its operations and exploits the Windows OS DLL search order by placing a malicious DLL file with the same name in the Current Working Directory. During this process, the samcli.dll is loaded into the ADExplorer.exe process.
This process then spawns a suspended process called “hh.exe” and conducts process injection. Additionally, ADExplorer.exe generates two shortcut files in the current working directory: “Guide.lnk” and “Support.url”. The URL file directs to the Guide.lnk file, which replicates the functionality of the initially downloaded LNK file.
Third Stage Execution and Final Stage Execution
In the third stage, the hh.exe process initiates another suspended process, “colorcpl.exe,” and conducts another round of process injection.
Subsequently, hh.exe terminates colorcpl.exe, which is then resumed under the “explorer.exe” process. In the final stage, colorcpl.exe checks for any existing installations of Xeno RAT on the victim machine.
If the malware is not detected, the process begins communicating with the C2 domain internal-liveapps[.]online, resolving to the IP address 45[.]61[.]139[.]51. The communication between the C2 and the infected machine is obfuscated.
Xeno RAT boasts a myriad of functionalities including monitoring, evading analysis, Hidden VNC, establishing SOCKS5 proxy connections with the C2 server, ensuring persistence through Scheduled Tasks, executing process injection, obfuscating network traffic, executing commands from the C2, providing status updates, and numerous others.
Indicators Of Compromise
| S/N | Indicators | Type | Context |
| 1 | 13b1d354ac2649b309b0d9229def8091 | File | Screenshot_2024-01-30_w-69-06-18264122612_DCIM.png.lnk |
| 2 | 848020d2e8bacd35c71b78e1a81c669c9dc63c78dd3db5a97200fc87aeb44c3c | File | Screenshot_2024-01-30_w-69-06-18264122612_DCIM.png.lnk |
| 3 | 6f9e84087cabbb9aaa7d8aba43a84dcf | File | Sys.zip |
| 4 | 4d0d8c2696588ff74fe7d9f8c2097fddd665308fccf16ffea23b9741a261b1c0 | File | Sys.zip |
| 5 | 7704241dd8770b11b50b1448647197a5 | File | Samcli.dll |
| 6 | 1762536a663879d5fb8a94c1d145331e1d001fb27f787d79691f9f8208fc68f2 | File | Samcli.dll |
| 7 | 0aa5930aa736636fd95907328d47ea45 | File | LICENSE |
| 8 | 96b091ce5d06afd11ee5ad911566645dbe32bfe1da2269a3d3ef8d3fa0014689 | File | LICENSE |
| 9 | 45[.]61[.]139[.]51 | IP address | C2 |
| 10 | internal-liveapps[.]online | Domain | C2 |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment