This blog was jointly written with Alejandro Prada and Ofer Caspi.
Executive summary
SeroXen is a new Remote Access Trojan (RAT) that showed up in late 2022 and is becoming more popular in 2023. Advertised as a legitimate tool that gives access to your computers undetected, it is being sold for only $30 for a monthly license or $60 for a lifetime bundle, making it accessible.
Key takeaways:
- SeroXen is a fileless RAT, performing well at evading detections on static and dynamic analysis.
- The malware combines several open-source projects to improve its capabilities. It is a combination of Quasar RAT, r77-rootkit and the command line NirCmd.
- Hundreds of samples have shown up since its creation, being most popular in the gaming community. It is only a matter of time before it is used to target companies instead of individual users.
Analysis
Quasar RAT is a legitimate open-source remote administration tool. It is offered on github page to provide user support or employee monitoring. It has been historically associated with malicious activity performed by threat actors, APT groups (like in this Mandiant report from 2017), or government attacks (in this report by Unit42 in 2017).
It was first released in July 2014 as “xRAT” and renamed to “Quasar” in August 2015. Since then, there have been released updates to the code until v1.4.1 in March 2023, which is the most current version. As an open-source RAT tool with updates 9 years after its creation, it is no surprise that it continues to be a common tool used by itself or combined with other payloads by threat actors up to this day.
In a review of the most recent samples, a new Quasar variant was observed by Alien Labs in the wild: SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT. They’re selling it for monthly or lifetime fee. Figure 1 contains some of the features advertised on their website.
Figure 1. SeroXen features announced on its website.
This new RAT first showed up on a Twitter account, established in September 2022. The person advertising the RAT appeared to be an English-speaking teenager. The same Twitter handle published a review of the RAT on YouTube. The video approached the review from an attacking/Red Team point of view, encouraging people to buy the tool because it is worth the money. They were claiming to be a reseller of the tool.
In December 2022, a specific domain was registered to market/sell the tool, seroxen[.]com. The RAT was distributed via a monthly license for $30 USD or a lifetime license of $60 USD. It was around that time that the malware was first observed in the wild, appearing with 0 detections on VirusTotal.
After a few months, on the 1st of February, the YouTuber CyberSec Zaado published a video alerting the community about the capabilities of the RAT from a defensive perspective. In late February, the RAT was advertised on social media platforms such as TikTok, Twitter, YouTube, and several cracking forums, including hackforums. There were some conversations on gaming forums complaining about being infected by malware after downloading some video games. The artifacts described by the users matched with SeroXen RAT.
The threat actor updated the domain name to seroxen[.]net by the end of March. This domain name was registered on March 27th, 2023, after seroxen[.]com was decommissioned. The threat actor used GoDaddy for registration and Cloudflare for hosting the website. These domains are only used for selling and marketing purposes, and not for Command and Control (C&C) communications.
Figure 2: SeroXen website
Based on the packed versions uploaded to VT, it appears that the RAT is being used for targeting video game users. Several lure injector cheat files have been observed with names invoking popular videogames such as Fortnite, Valorant, Roblox or Warzone2. The threat actor used Discord for the distribution of some of the samples.
Figure 3. SeroXen timeline.
One of the most relevant announced features is that it is a fully undetectable version. This is currently true from a static analysis point of view, since the RAT is packaged into an obfuscated PowerShell batch file. The file’s size typically ranges between 12-14 megabytes, as we can see in sample 8ace121fae472cc7ce896c91a3f1743d5ccc8a389bc3152578c4782171c69e87 uploaded to VT on May 21. Due to its relatively large size, certain antivirus may choose not to analyze it, potentially bypassing detection. This sample currently has 0 detections on VT, but some of the crowdsourced Sigma Rules do detect the activity as suspicious.
As the malware is fileless and executed only in memory after going through several decryptions and decompression routines, it is more difficult to detect by antiviruses. In addition, its rootkit loads a fresh copy of ntdll.dll, which makes it harder to detect by Endpoint Detection & Response (EDR) solutions that hook into it to detect process injections.
Regarding the dynamic analysis, it is worth noting that some sandbox environments might fail to detect the RAT due to its utilization of several techniques to evade virtualization and sandbox detection mechanisms and string encryption subsequent payloads.
The RAT employs anti-debugging techniques by leveraging Windows Management Instrumentation (WMI) to identify the system’s manufacturer. This enables it to identify virtualization environments such as VMware and abort the execution to delay and make the analysis harder. The RAT also checks for the presence of debuggers and uses pings make the threads sleep.
Currently, most child processes and files dropped during the execution of the RAT have a low detection rate.
Execution analysis
When the malicious payload is delivered to the victim, commonly through a phishing mail or a Discord channel – the victim often receives a ZIP file containing a benign file in plain sight, and the heavily obfuscated batch file is hidden and automatically executed when launched. The bat file format is always very similar and looks like the contents of Figure 4, followed by base64 encoded text later in the file.
Figure 4. Obfuscated bat script.
During the bat execution, the script extracts two separate binaries from the base64 encoded text, AES decrypts, and GZIP decompresses it to produce two separate byte arrays. These byte arrays are then used with .NET reflection to perform an in-memory load of the assembly from its bytes, locate the binary’s entry point, and perform an Invoke on both.
Throughout the decryption process, the attackers had the need to create a legitimate looking folder to drop an illicit version of the System Configuration Utility msconfig.exe that is required later. For this purpose, the script creates the folder “C:Windows System32”, with a space after Windows and deletes it as soon as the utility is running. If it wasn’t for this file temporarily dropped into disk, the RAT would be fully fileless.
The execution of one of the above-mentioned binaries leads to another obfuscated binary carrying an embedded resource. This resource is hidden behind anti-sandboxing and debugger techniques, only to lead to more obfuscation and encryption techniques that lead to the final payload. This payload has been built using the Github project Costura, which allows SeroXen to pack the code’s dependencies into the .NET assembly so it can run self-contained.
Figure 5. Payload embedded resources.
The extraction of the resources leads to the final payloads. This is in the form of two .NET assemblies: CSStub2.InstallStager.exe, and CSStub2.UninstallStager.exe. And a Win32 binary called CSStub2.$sxr-nircmd.exe, which corresponds to the unmodified command-line utility NirCmd.
The payload InstallStager.exe is a compilation of the open-source rootkit named r77-rootkit – a fileless ring 3 rootkit written in .NET. This rootkit supports both x32 and x64 Windows processes and has the following features:
- Fileless persistence: The rootkit is stored as obfuscated data in the registry and is spawned with PowerShell via Task Scheduler to be injected into the winlogon.exe process.
- Child process hooking.
- Option to embed additional malware to be executed with the rootkit – in this case NirCmd and/or Quasar. The added malware will be decompressed and decrypted before it is injected into other processes.
- In memory process injection: the rootkit injects itself and additional malware(s) into all processes. Injection is done from memory: no files are needed to be stored on disk.
- Hooking: Hooks several functions from ntdll.dll to hide its presence.
- Communicating via NamedPipe: The rootkit can receive a command from any running process.
- Antivirus / EDR evasion: The rootkit uses several evasion techniques:
- AMSI bypass: PowerShell inline script patches “amsi.dll!AmsiScanBuffer” to always return “AMSI_RESULT_CLEAN”.
- DLL unhooking: Removes EDR hooks by loading a fresh copy of “ntdll.dll” from disk to avoid process hollowing detection
- Hiding entities: Hiding all entities starts with a configurable prefix, which in SeroXen’s case its “$sxr”. This prefix hardens the visualization of the attack on the system, but eases attribution of the malware family during the analysis. The prefix is used to hide files, directories, NamedPipes, scheduled tasks, processes, registry keys/values, and services.
R77 technical documentation provides a guideline of where can the prefix be found:
|
Config parameter
|
Details
|
Example
|
|
HIDE_PREFIX
|
The prefix for name-based hiding (e.g. processes, files, etc…).
|
L”$sxr”
|
|
R77_SERVICE_NAME32
|
Name for the scheduled task that starts the r77 service for 32-bit processes.
|
HIDE_PREFIX L”svc32″
|
|
R77_SERVICE_NAME64
|
Name for the scheduled task that starts the r77 service for 64-bit processes.
|
HIDE_PREFIX L”svc64″
|
|
CHILD_PROCESS_PIPE_NAME32
|
Name for the named pipe that notifies the 32-bit r77 service about new child processes.
|
L”.pipe” HIDE_PREFIX L”childproc32″
|
|
CHILD_PROCESS_PIPE_NAME64
|
Name for the named pipe that notifies the 64-bit r77 service about new child processes.
|
L”.pipe” HIDE_PREFIX L”childproc64″
|
|
CONTROL_PIPE_NAME
|
Name for the named pipe that receives commands from external processes.
|
L”.pipe” HIDE_PREFIX L”control”
|
The two main components in this project are the InstallStager service and the Rootkit. The InstallStager service is responsible for:
- Creating a registry key to store the malware code and writes it as encrypted data.
- Creating a scheduled task to execute the malware using PowerShell. PowerShell will decompress and decrypt the final payload (Service) that will be injected into the winlogon.exe process and executed via dllhost.exe using process hollowing techniques.
Figure 6. Starting payload after decryption using process hollowing.
Now the second and main stage of the Rootkit is ready to start. The service kicks off the load of the rootkit’s DLL that is embedded as a resource and saves its configuration as a registry key. (In SeroXen case it’s [HKEY_LOCAL_MACHINESOFTWARE$sxrconfig]).
The service creates 3 listener threads:
- NewProcessListener: Enumerates all running processes and injects the rootkit when new processes are created.
- ChildProcessListener: Injects the rootkit to a newly created process by another process and updates the callee via NamedPipe.
Figure 7. Child process injection.
- ControlPipeListener: Creates a NamedPipe to receive commands from any process. Supported commands are listed below:
|
Command
|
Details
|
|
CONTROL_R77_UNINSTALL
|
The control code that uninstalls r77.
|
|
CONTROL_R77_PAUSE_INJECTION
|
The control code that temporarily pauses injection of new processes.
|
|
CONTROL_R77_RESUME_INJECTION
|
The control code that resumes injection of new processes.
|
|
CONTROL_PROCESSES_INJECT
|
The control code that injects r77 into a specific process, if it is not yet injected.
|
|
CONTROL_PROCESSES_INJECT_ALL
|
The control code that injects r77 into all processes that are not yet injected.
|
|
CONTROL_PROCESSES_DETACH
|
The control code detaches r77 from a specific process.
|
|
CONTROL_PROCESSES_DETACH_ALL
|
The control code detaches r77 from all processes.
|
|
CONTROL_USER_SHELLEXEC
|
The control code that executes a file using ShellExecute.
|
|
CONTROL_USER_RUNPE
|
The control code that executes an executable using process hollowing.
|
|
CONTROL_SYSTEM_BSOD
|
The control code that triggers a BSOD.
|
|
CONTROL_R77_TERMINATE_SERVICE
|
The control code that terminates the r77 service.
|
The DLL rootkit carries out process injections, executes commands received by other processes, and keeps out of sight any sign of SeroXen being executed within the system.
Figure 8. System function hooking.
As a summary of the execution process:
Figure 9. SeroXen decryption flow.
Since Seroxen is based on QuasarRAT, the C&C server utilizes the same Common Name in their TLS certificate. The functionalities offered by the threat actor for the C&C server closely mirror those found in the Quasar Github repository, including support for TCP network streams (both IPv4 and IPv6), efficient network serialization, compression using QuickLZ, and secure communication through TLS encryption.
Figure 10. Quasar Server Certificate.
Conclusion
The SeroXen developer has found a formidable combination of free resources to develop a hard to detect in static and dynamic analysis RAT. The use of an elaborated open-source RAT like Quasar, with almost a decade since its first appearance, makes an advantageous foundation for the RAT. While the combination of NirCMD and r77-rootkit are logical additions to the mix, since they make the tool more elusive and harder to detect.
The Alien Labs team will continue to monitor the threat landscape for SeroXen samples and infrastructure.
Detection methods
The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.
|
SURICATA IDS SIGNATURES
|
|
2035595: ET TROJAN Generic AsyncRAT Style SSL Cert
|
|
2027619: ET TROJAN Observed Malicious SSL Cert (Quasar CnC)
|
Associated indicators (IOCs)
The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.
|
TYPE
|
INDICATOR
|
DESCRIPTION
|
|
SHA256
|
8ace121fae472cc7ce896c91a3f1743d5ccc8a389bc3152578c4782171c69e87
|
Example malware hash
|
Mapped to MITRE ATT&CK
The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:
- TA0002 : Execution
- T1053: Scheduled Task/Job
- T1053.005: Scheduled Task
- T1059: Command and Scripting Interpreter
- T1059.003: Windows Command Shell
- TA0003: Persistence
- T1547: Boot or Logon Autostart Execution
- T1547.001 Registry Run Keys / Startup Folder
- TA0004: Privilege Escalation
- T1548: Abuse Elevation Control Mechanism
- T1548.002: Bypass User Account Control
- TA0005: Defense Evasion
- T1112: Modify Registry
- T1553: Subvert Trust Controls
- T1553.002: Code Signing
- T1564: Hide Artifacts
- T1564.001: Hidden Files and Directories
- T1564.003: Hidden Window
- TA0006: Credential Access
- T1552: Unsecured Credentials
- T1552.001: Credentials In Files
- T1555: Credentials from Password Stores
- T1555.003: Credentials from Web Browsers
- TA0007: Discovery
- T1016: System Network Configuration Discovery
- T1033: System Owner/User Discovery
- T1082: System Information Discovery
- T1614: System Location Discovery
- TA0008: Lateral Movement
- T1021: Remote Services
- T1021.001: Remote Desktop Protocol
- TA009: Collection
- T1005: Data from Local System
- T1056: Input Capture
- T1056.001: Keylogging
- T1125: Video Capture
- TA0011: Command and Control
- T1090: Proxy
- T1095: Non-Application Layer Protocol
- T1105: Ingress Tool Transfer
- T1571: Non-Standard Port
- T1573: Encrypted Channel:
- T1573.001: Symmetric Cryptography
References:
The post SeroXen RAT for sale appeared first on Cybersecurity Insiders.
