SeroXen RAT is a new, fileless Remote Access Trojan that has emerged in late 2022 and is increasingly popular in 2023. The malware is being advertised as a legitimate tool that gives undetected access to computers and is sold for a monthly fee of $30 or a lifetime bundle of $60, making it accessible to many. SeroXen RAT is a combination of Quasar RAT, r77-rootkit, and NirCmd, several open-source projects that enhance its capabilities. Although it is currently popular in the gaming community, it is only a matter of time before it begins to target companies instead of individual users.
Quasar RAT is a legitimate open-source remote administration tool that has been associated with malicious activity performed by threat actors, APT groups, or government attacks. SeroXen RAT is a modified branch of the open-source version that adds some modified features to the original RAT. It has been observed in the wild and has shown zero detections on VirusTotal. The RAT is packaged into an obfuscated PowerShell batch file, which makes it more difficult to detect by antiviruses. It is executed only in memory after going through several decryptions and decompression routines, which makes it more challenging to detect by endpoint detection and response solutions.
The malware is being used to target video game users and is distributed via Discord or phishing emails. During the bat execution, the script extracts two separate binaries from the base64 encoded text, AES decrypts, and GZIP decompresses it to produce two separate byte arrays. These byte arrays are then used with .NET reflection to perform an in-memory load of the assembly from its bytes, locate the binary’s entry point, and perform an Invoke on both. The attackers had the need to create a legitimate-looking folder to drop an illicit version of the System Configuration Utility msconfig.exe that is required later. If it wasn’t for this file temporarily dropped into disk, the RAT would be fully fileless.
SeroXen RAT employs anti-debugging techniques by leveraging Windows Management Instrumentation (WMI) to identify the system’s manufacturer. This enables it to identify virtualization environments such as VMware and abort the execution to delay and make the analysis harder. The RAT also checks for the presence of debuggers and uses pings to make the threads sleep. The RAT communicates via NamedPipe and can receive a command from any running process. It uses several evasion techniques such as AMSI and hooking several functions from ntdll.dll to hide its presence.
In conclusion, SeroXen RAT is an emerging threat that is highly effective at evading detections on static and dynamic analysis. Although it is currently popular in the gaming community, it is only a matter of time before it begins to target companies instead of individual users. It is packaged into an obfuscated PowerShell batch file that makes it more difficult to detect by antiviruses, and it is executed only in memory after going through several decryptions and decompression routines. It employs anti-debugging techniques and uses several evasion techniques such as AMSI and hooking several functions from ntdll.dll to hide its presence. Therefore, it is advisable to take several measures to protect oneself against this threat, such as keeping antiviruses and other security software updated and being mindful of phishing emails and suspicious links.