So far, the tool is used against ordinary gamers, but sooner or later its popularity will also endanger the corporate sector.
AT&T has discovered a new remote access Trojan called SeroXen RAT, which has recently become extremely popular among cybercriminals due to its high stealth and powerful capabilities.
On legitimate sites, the malware is sold as an absolutely legal program for remote control of computers with Windows 10 and 11 on board. The price is ridiculous - $ 15 per month or $ 60 for a "lifetime" license.
However, cyber-intelligence platform Flare Systems has discovered that SeroXen is advertised on hacker forums as a remote access Trojan. And it is absolutely unclear whether those who are promoting the Trojan on the forums are its developers or just fraudulent "outbidding".
The low cost of the Trojan makes it very accessible to attackers. AT&T has been celebrating hundreds of designs since its inception in September 2022, with activity still growing.
Most SeroXen victims are casual gamers, but as the tool grows in popularity, the target audience may expand to include large companies and organizations.
SeroXen is based on various open source projects including Quasar RAT, r77 rootkit and NirCmd. “The developer of SeroXen has identified a strong combination of free resources to create a Trojan that is difficult to detect in both static and dynamic analysis. The use of the open source Quasar trojan, which appeared almost ten years ago, provides a solid foundation, and the combination of NirCMD and r77-rootkit is a logical addition to the mix, as they make the tool much more stealthy,” AT&T comments in its report.
Quasar RAT is a remote administration tool first released in 2014. Its latest version, 1.41, has reverse proxy, remote shell, remote desktop, TLS communication, and file management features. The tool is freely available via GitHub.
The r77 (Ring 3) rootkit is an open source rootkit that offers fileless persistence on the target system, child process hijacking, malicious code injection, memory process injection, and antivirus bypass.
NirCmd is a free utility that performs simple tasks of managing the Windows system and peripherals from the command line.
AT&T has documented attacks using SeroXen through phishing emails or Discord channels where cybercriminals distribute ZIP archives containing heavily obfuscated batch files. A couple of base64 encoded binaries are extracted from them and loaded into memory using .NET Reflection.
The only file that affects the device's disk is a modified version of msconfig.exe, which is necessary for the execution of the malware and is temporarily stored in the "C:\Windows\System32" directory. Note the extra space after "Windows", which is deleted immediately after the program is installed. .
Ultimately, a payload called "InstallStager.exe", a variant of the r77 rootkit, is deployed to the target device. It is stored in an obfuscated form in the Windows Registry and is later activated using PowerShell through the Task Scheduler, injecting itself into the "winlogon.exe" process.
The rootkit integrates the SeroXen Trojan into the system's memory, making it invisible, but allowing the desired remote access to the device. Once launched, the Trojan establishes a connection with the C2 server and waits for further commands from the attackers.
AT&T analysts also found that SeroXen uses the same TLS certificate as QuasarRAT and has most of the features of the original project, including TCP stream support, efficient network serialization, and QuickLZ compression.
Researchers fear that the growing popularity of SeroXen will attract hackers interested in attacking large organizations rather than gamers, so the company released Indicators of Compromise (IoC) so that security professionals have time to prepare their enterprises.