This blog was jointly written with Alejandro Prada and Ofer Caspi.

Executive summary

SeroXen is a new Remote Access Trojan (RAT) that showed up in late 2022 and is becoming more popular in 2023. Advertised as a legitimate tool that gives access to your computers undetected, it is being sold for only $30 for a monthly license or $60 for a lifetime bundle, making it accessible.

Key takeaways:

SeroXen is a fileless RAT, performing well at evading detections on static and dynamic analysis.
The malware combines several open-source projects to improve its capabilities. It is a combination of Quasar RAT, r77-rootkit and the command line NirCmd.
Hundreds of samples have shown up since its creation, being most popular in the gaming community. It is only a matter of time before it is used to target companies instead of individual users.

Analysis

Quasar RAT is a legitimate open-source remote administration tool. It is offered on github page to provide user support or employee monitoring. It has been historically associated with malicious activity performed by threat actors, APT groups (like in this Mandiant report from 2017), or government attacks (in this report by Unit42 in 2017).

It was first released in July 2014 as “xRAT” and renamed to “Quasar” in August 2015. Since then, there have been released updates to the code until v1.4.1 in March 2023, which is the most current version. As an open-source RAT tool with updates 9 years after its creation, it is no surprise that it continues to be a common tool used by itself or combined with other payloads by threat actors up to this day.

In a review of the most recent samples, a new Quasar variant was observed by Alien Labs in the wild: SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT. They’re selling it for monthly or lifetime fee. Figure 1 contains some of the features advertised on their website.

Figure 1. SeroXen features announced on its website.

This new RAT first showed up on a Twitter account, established in September 2022. The person advertising the RAT appeared to be an English-speaking teenager. The same Twitter handle published a review of the RAT on YouTube. The video approached the review from an attacking/Red Team point of view, encouraging people to buy the tool because it is worth the money. They were claiming to be a reseller of the tool.

In December 2022, a specific domain was registered to market/sell the tool, seroxen[.]com. The RAT was distributed via a monthly license for $30 USD or a lifetime license of $60 USD. It was around that time that the malware was first observed in the wild, appearing with 0 detections on VirusTotal.

After a few months, on the 1st of February, the YouTuber CyberSec Zaado published a video alerting the community about the capabilities of the RAT from a defensive perspective. In late February, the RAT was advertised on social media platforms such as TikTok, Twitter, YouTube, and several cracking forums, including hackforums. There were some conversations on gaming forums complaining about being infected by malware after downloading some video games. The artifacts described by the users matched with SeroXen RAT.

The threat actor updated the domain name to seroxen[.]net by the end of March. This domain name was registered on March 27th, 2023, after seroxen[.]com was decommissioned. The threat actor used GoDaddy for registration and Cloudflare for hosting the website. These domains are only used for selling and marketing purposes, and not for Command and Control (C&C) communications.

Figure 2: SeroXen website

Based on the packed versions uploaded to VT, it appears that the RAT is being used for targeting video game users. Several lure injector cheat files have been observed with names invoking popular videogames such as Fortnite, Valorant, Roblox or Warzone2. The threat actor used Discord for the distribution of some of the samples.

Figure 3. SeroXen timeline.

One of the most relevant announced features is that it is a fully undetectable version. This is currently true from a static analysis point of view, since the RAT is packaged into an obfuscated PowerShell batch file. The file’s size typically ranges between 12-14 megabytes, as we can see in sample 8ace121fae472cc7ce896c91a3f1743d5ccc8a389bc3152578c4782171c69e87 uploaded to VT on May 21. Due to its relatively large size, certain antivirus may choose not to analyze it, potentially bypassing detection. This sample currently has 0 detections on VT, but some of the crowdsourced Sigma Rules do detect the activity as suspicious.

As the malware is fileless and executed only in memory after going through several decryptions and decompression routines, it is more difficult to detect by antiviruses. In addition, its rootkit loads a fresh copy of ntdll.dll, which makes it harder to detect by Endpoint Detection & Response (EDR) solutions that hook into it to detect process injections.

Regarding the dynamic analysis, it is worth noting that some sandbox environments might fail to detect the RAT due to its utilization of several techniques to evade virtualization and sandbox detection mechanisms and string encryption subsequent payloads.

The RAT employs anti-debugging techniques by leveraging Windows Management Instrumentation (WMI) to identify the system’s manufacturer. This enables it to identify virtualization environments such as VMware and abort the execution to delay and make the analysis harder. The RAT also checks for the presence of debuggers and uses pings make the threads sleep.

Currently, most child processes and files dropped during the execution of the RAT have a low detection rate.

Execution analysis

When the malicious payload is delivered to the victim, commonly through a phishing mail or a Discord channel – the victim often receives a ZIP file containing a benign file in plain sight, and the heavily obfuscated batch file is hidden and automatically executed when launched. The bat file format is always very similar and looks like the contents of Figure 4, followed by base64 encoded text later in the file.

Figure 4. Obfuscated bat script.

During the bat execution, the script extracts two separate binaries from the base64 encoded text, AES decrypts, and GZIP decompresses it to produce two separate byte arrays. These byte arrays are then used with .NET reflection to perform an in-memory load of the assembly from its bytes, locate the binary’s entry point, and perform an Invoke on both.

Throughout the decryption process, the attackers had the need to create a legitimate looking folder to drop an illicit version of the System Configuration Utility msconfig.exe that is required later. For this purpose, the script creates the folder “C:Windows System32”, with a space after Windows and deletes it as soon as the utility is running. If it wasn’t for this file temporarily dropped into disk, the RAT would be fully fileless.

The execution of one of the above-mentioned binaries leads to another obfuscated binary carrying an embedded resource. This resource is hidden behind anti-sandboxing and debugger techniques, only to lead to more obfuscation and encryption techniques that lead to the final payload. This payload has been built using the Github project Costura, which allows SeroXen to pack the code’s dependencies into the .NET assembly so it can run self-contained.

Figure 5. Payload embedded resources.

The extraction of the resources leads to the final payloads. This is in the form of two .NET assemblies: CSStub2.InstallStager.exe, and CSStub2.UninstallStager.exe. And a Win32 binary called CSStub2.$sxr-nircmd.exe, which corresponds to the unmodified command-line utility NirCmd.

The payload InstallStager.exe is a compilation of the open-source rootkit named r77-rootkit – a fileless ring 3 rootkit written in .NET. This rootkit supports both x32 and x64 Windows processes and has the following features:

Fileless persistence: The rootkit is stored as obfuscated data in the registry and is spawned with PowerShell via Task Scheduler to be injected into the winlogon.exe process.
Child process hooking.
Option to embed additional malware to be executed with the rootkit – in this case NirCmd and/or Quasar. The added malware will be decompressed and decrypted before it is injected into other processes.
In memory process injection: the rootkit injects itself and additional malware(s) into all processes. Injection is done from memory: no files are needed to be stored on disk.
Hooking: Hooks several functions from ntdll.dll to hide its presence.
Communicating via NamedPipe: The rootkit can receive a command from any running process.
Antivirus / EDR evasion: The rootkit uses several evasion techniques:

AMSI bypass: PowerShell inline script patches “amsi.dll!AmsiScanBuffer” to always return “AMSI_RESULT_CLEAN”.
DLL unhooking: Removes EDR hooks by loading a fresh copy of “ntdll.dll” from disk to avoid process hollowing detection

Hiding entities: Hiding all entities starts with a configurable prefix, which in SeroXen’s case its “$sxr”. This prefix hardens the visualization of the attack on the system, but eases attribution of the malware family during the analysis. The prefix is used to hide files, directories, NamedPipes, scheduled tasks, processes, registry keys/values, and services.

R77 technical documentation provides a guideline of where can the prefix be found:

Config parameter

Details

Example

HIDE_PREFIX

The prefix for name-based hiding (e.g. processes, files, etc…).

L”$sxr”

R77_SERVICE_NAME32

Name for the scheduled task that starts the r77 service for 32-bit processes.

HIDE_PREFIX L”svc32″

R77_SERVICE_NAME64

Name for the scheduled task that starts the r77 service for 64-bit processes.

HIDE_PREFIX L”svc64″

CHILD_PROCESS_PIPE_NAME32

Name for the named pipe that notifies the 32-bit r77 service about new child processes.

L”\\.\pipe\” HIDE_PREFIX L”childproc32″

CHILD_PROCESS_PIPE_NAME64

Name for the named pipe that notifies the 64-bit r77 service about new child processes.

L”\\.\pipe\” HIDE_PREFIX L”childproc64″

CONTROL_PIPE_NAME

Name for the named pipe that receives commands from external processes.

L”\\.\pipe\” HIDE_PREFIX L”control”

 

The two main components in this project are the InstallStager service and the Rootkit. The InstallStager service is responsible for:

Creating a registry key to store the malware code and writes it as encrypted data.
Creating a scheduled task to execute the malware using PowerShell. PowerShell will decompress and decrypt the final payload (Service) that will be injected into the winlogon.exe process and executed via dllhost.exe using process hollowing techniques.

Figure 6. Starting payload after decryption using process hollowing.

Now the second and main stage of the Rootkit is ready to start. The service kicks off the load of the rootkit’s DLL that is embedded as a resource and saves its configuration as a registry key. (In SeroXen case it’s [HKEY_LOCAL_MACHINESOFTWARE$sxrconfig]).

The service creates 3 listener threads:

NewProcessListener: Enumerates all running processes and injects the rootkit when new processes are created.
ChildProcessListener: Injects the rootkit to a newly created process by another process and updates the callee via NamedPipe.

Figure 7. Child process injection.

ControlPipeListener: Creates a NamedPipe to receive commands from any process. Supported commands are listed below:

Command

Details

CONTROL_R77_UNINSTALL

The control code that uninstalls r77.

CONTROL_R77_PAUSE_INJECTION

The control code that temporarily pauses injection of new processes.

CONTROL_R77_RESUME_INJECTION

The control code that resumes injection of new processes.

CONTROL_PROCESSES_INJECT

The control code that injects r77 into a specific process, if it is not yet injected.

CONTROL_PROCESSES_INJECT_ALL

The control code that injects r77 into all processes that are not yet injected.

CONTROL_PROCESSES_DETACH

The control code detaches r77 from a specific process.

CONTROL_PROCESSES_DETACH_ALL

The control code detaches r77 from all processes.

CONTROL_USER_SHELLEXEC

The control code that executes a file using ShellExecute.

CONTROL_USER_RUNPE

The control code that executes an executable using process hollowing.

CONTROL_SYSTEM_BSOD

The control code that triggers a BSOD.

CONTROL_R77_TERMINATE_SERVICE

The control code that terminates the r77 service.

 

The DLL rootkit carries out process injections, executes commands received by other processes, and keeps out of sight any sign of SeroXen being executed within the system.

Figure 8. System function hooking.

As a summary of the execution process:

Figure 9. SeroXen decryption flow.

Since Seroxen is based on QuasarRAT, the C&C server utilizes the same Common Name in their TLS certificate. The functionalities offered by the threat actor for the C&C server closely mirror those found in the Quasar Github repository, including support for TCP network streams (both IPv4 and IPv6), efficient network serialization, compression using QuickLZ, and secure communication through TLS encryption.

Figure 10. Quasar Server Certificate.

 

Conclusion

The SeroXen developer has found a formidable combination of free resources to develop a hard to detect in static and dynamic analysis RAT. The use of an elaborated open-source RAT like Quasar, with almost a decade since its first appearance, makes an advantageous foundation for the RAT. While the combination of NirCMD and r77-rootkit are logical additions to the mix, since they make the tool more elusive and harder to detect.

The Alien Labs team will continue to monitor the threat landscape for SeroXen samples and infrastructure.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

SURICATA IDS SIGNATURES

2035595: ET TROJAN Generic AsyncRAT Style SSL Cert

2027619: ET TROJAN Observed Malicious SSL Cert (Quasar CnC)

 

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

 

TYPE

INDICATOR

DESCRIPTION

SHA256

8ace121fae472cc7ce896c91a3f1743d5ccc8a389bc3152578c4782171c69e87

Example malware hash

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

TA0002 : Execution 
T1053: Scheduled Task/Job 
T1053.005: Scheduled Task 
T1059: Command and Scripting Interpreter 
T1059.003: Windows Command Shell 
TA0003: Persistence 
T1547: Boot or Logon Autostart Execution 
T1547.001 Registry Run Keys / Startup Folder 
TA0004: Privilege Escalation 
T1548: Abuse Elevation Control Mechanism 
T1548.002: Bypass User Account Control 
TA0005: Defense Evasion 
T1112: Modify Registry 
T1553: Subvert Trust Controls 
T1553.002: Code Signing 
T1564: Hide Artifacts 
T1564.001: Hidden Files and Directories 
T1564.003: Hidden Window 
TA0006: Credential Access 
T1552: Unsecured Credentials 
T1552.001: Credentials In Files 
T1555: Credentials from Password Stores 
T1555.003: Credentials from Web Browsers 
TA0007: Discovery 
T1016: System Network Configuration Discovery 
T1033: System Owner/User Discovery 
T1082: System Information Discovery 
T1614: System Location Discovery 
TA0008: Lateral Movement 
T1021: Remote Services 
T1021.001: Remote Desktop Protocol 
TA009: Collection 
T1005: Data from Local System 
T1056: Input Capture 
T1056.001: Keylogging 
T1125: Video Capture 
TA0011: Command and Control 
T1090: Proxy 
T1095: Non-Application Layer Protocol  
T1105: Ingress Tool Transfer 
T1571: Non-Standard Port 
T1573: Encrypted Channel: 
T1573.001: Symmetric Cryptography 

References:

Seroxen webpage
Seroxen features
Quasar RAT
NirCmd – Windows command line tool (nirsoft.net)
R77-rootkit

Read More

The dark web. The name raises all kinds of questions. What is the dark web, really? Where is it? Can anyone hop on it? 

Answering these questions can help you stay safer online. 

The story of the dark web is a complicated one. It’s a small and highly anonymous layer of the internet. As a result, it has a reputation for harboring criminal activity. We often mention the dark web in our blogs, typically when the conversation turns to identity theft, data breaches, and stolen personal information. Rightfully so. Plenty of cybercrime can get traced right back to the dark web. 

Yet cybercriminals didn’t create the dark web. And they’re far from the only people who use it. News outlets like the BBC and the New York Times have a presence there, as does the U.S. Central Intelligence Agency (CIA). Journalists, activists, and everyday citizens use it as well, often to work around oppressive censorship. Even Facebook is there, providing people access to the social media site in regions where it’s blocked. 

Anonymity reigns on the dark web. It was designed to work that way. With that, it’s home to a mixed bag of activity, legitimate and illicit alike. Yet that anonymity doesn’t stop us from putting a face onto the dark web—from understanding what it is, where it is, and what transpires there.  

That starts with a look at the internet and the two primary layers that make it up. 

The layers of the internet: The surface web and the deep web 

If you visualize the internet as an ocean, you’ll find it populated with websites and collections of data at all depths. Yet, the typical internet user only has access to the first few feet, a layer of the internet known as the surface web.  

The sights you’ll see within the surface web will look familiar. It’s all the blogs, shops, social media sites, and so on that you visit regularly. And it’s easy to get to. You only need to fire up your browser and go. All the sites are public facing. With a quick search, you can find them.  

In all, the surface web contains any destination you can reach through search. To put it more precisely, the surface web accounts for areas of the internet that search engines can “crawl” and index for search. Estimates vary, yet the surface web accounts for roughly 4 to 5% of the internet. 

Now, enter the deep web, the next 95% of the internet that is not searchable. Yet, that’s not to say that you don’t travel down into its depths from time to time. In fact, you likely do it daily. Any time you go through a paywall or use a password to access internet content, you’re entering the deep web. The content found there is hidden from search. Examples include logging into your bank account, accessing medical records through your healthcare provider, or using corporate web pages as part of your workday. Even streaming a show can involve a trip to the deep web. None of that content is searchable. 

As such, the overwhelming majority of activity within the deep web is legitimate. So while this layer of the internet runs deep, it isn’t necessarily dark. The dark web is something altogether different. 

What is the dark web? 

The dark web lives within the deep web. Like the other depths of the deep web, it’s not searchable. The people behind the websites and data collections on the dark web intentionally keep them hidden from search. And the reasons vary. Some of them are entirely legitimate, others questionable, and several are outright illegal in nature.  

Its origins go back to the 1990s, when the U.S. Department of Defense developed the dark web as a means of anonymous and encrypted communications. That story might sound familiar. It’s quite like the origin story for the broader internet. That had its roots in the Department of Defense as well. So, just as the broader internet eventually became available to the public, so did the dark web as well. 

Getting there requires a special browser because the protocols for the dark web differ from the surface web. Moreover, these browsers strip web traffic of identifiable information, encrypt it, and send it through a series of server jumps. The browsing traffic will appear to go through a server in one country, then a different server in another, and then another.  

These steps make it highly difficult to identify the person using the browser. On the flip side, it makes it difficult to identify the people hosting the sites and services on the dark web as well.  

Without question, privacy is everything on the dark web. For good and for bad. 

Legitimate uses of the dark web 

While the notion of the dark web typically gets raised in the context of cybercrime and other illegal activity, it has legitimate uses. Some of these use cases include: 

Circumventing censorship  

Well-regarded news outlets such as the BBC and Pro Publica maintain a presence on the dark web to ensure that anyone can access their reporting. This includes people in nations and regions where certain news sources are censored.  

Private communication 

For the particularly privacy-conscious, the dark web hosts several resources for encrypted communication. That includes email clients, internet chat, and even social media sites. 

Whistleblowing 

Anonymous tips are a part of national security, law enforcement, and journalism as well. The private nature of the dark web confers an additional degree of anonymity to tipsters. 

The dark web isn’t a place everyday internet users will need, or even want, to go. It’s far more complicated than the surface web—and going in without taking several security measures can make the trip a risky one. 

The dark web as a marketplace for cybercrime 

This is where the rubber meets the road from an online protection standpoint. The dark web is also a marketplace for hackers and bad actors. In several ways—as a place to purchase and rent malware, a repository for stolen information, and a place to communicate and coordinate attacks. 

For starters, the dark web is populated with dark marketplaces. And difficult-to-trace cryptocurrency is the coin of the realm. With dark web stores stocked with ready-made malware kits, bad actors can launch attacks with little need for technical expertise. Others have done the work for them.  

Cybercrime groups of all sizes prop up these shops, which they also use to rent out other services for attacks. For example, a small-time bad actor could easily lease a botnet to wage an attack that slows a targeted website to a crawl. Some cybercrime groups will provide hackers who can run attacks on someone else’s behalf, creating a mercenary “hacker for hire” gig economy.  

Likewise, information stolen from a data breach can end up in dark web marketplaces as well. The personal information posted in these marketplaces can range anywhere from emails and passwords to in-depth information like tax numbers, health information, and driver’s license numbers. Some of it goes up for sale. Some of it gets dumped there for free. With the right information in hand, cybercriminals can commit acts of identity theft. That includes claiming unemployment benefits and tax refunds in someone else’s name. In extreme cases, it can lead to bad actors can outright impersonate their victims, racking up debts and criminal records along the way. 

Some hacking groups sell hacked accounts outright. For a couple hundred dollars, they offer up login and password information for bank accounts that have a couple thousand dollars in them. Also available, pre-hacked email, social media, and online payment accounts. If it’s hackable and has value, it’s likely for sale on the dark web. 

Protect yourself from hackers and bad actors on the dark web 

With all this shady activity on the dark web, you might wonder how you can protect yourself. In fact, you can take several steps to help prevent your information from finding its way there. And you also can take other steps if your information unfortunately does end up on the dark web. 

Installing online protection software is the first step. Online protection software can help prevent many of the attacks bad actors can purchase on the dark web. It protects against ransomware, adware, spyware, and all manner of malware, whether it’s pre-existing or entirely new.  

Yet today’s online protection goes far beyond antivirus. Comprehensive protection like ours protects your privacy and identity as well. It can monitor your identity and credit, create strong passwords, and clean up your personal information online. 

Monitor your identity:

An identity monitoring service can actively scan the dark web for personal info like your date of birth, email addresses, credit card numbers, personal identification numbers, and much more. In the event you fall victim to identity theft, our identity theft coverage and restoration can provide up to $1 million in coverage to cover the costs. Plus, it provides the services of a recovery expert with limited power of attorney to help you repair the damage done. 

Keep an eye on your credit:

If you spot unusual or unfamiliar charges or transactions in your account, bank, or debit card statements, follow up immediately. That might indicate improper use. In general, banks, credit card companies, and many businesses have countermeasures to deal with fraud. Moreover, they have customer support teams that can help you file a claim if needed. 

Given all the accounts you likely have a credit monitoring service can help. McAfee’s credit monitoring service can help you keep an eye on changes to your credit score, report, and accounts with timely notifications and provide guidance so you can take action to tackle identity theft. 

Create and maintain strong, unique passwords:

With the high number of accounts you need to protect, creating strong, unique passwords for each one can get time consuming. Further, updating them regularly can become a time-consuming task. That’s where a password manager comes in.  

A password manager does the work of creating strong, unique passwords for your accounts. These will take the form of a string of random numbers, letters, and characters. They will not be memorable, but the manager does the memorizing for you. You only need to remember a single password to access the tools of your manager. 

Close old, risky accounts:

The more online accounts you keep, the greater the exposure you have to data breaches. Each account will have varying degrees of personal and financial information linked to it. And that means each one carries a varying degree of risk if it gets breached. Moreover, some sites and services protect data better than others, which adds another dimension of risk. Closing old and particularly risky accounts can decrease the risk of your personal and financial information winding up in the hands of an identity thief.  

With security and savings in mind, McAfee created Online Account Cleanup. It finds and requests the deletion of unused accounts and protects your personal data from data breaches as a result. Monthly scans across your online accounts show a risk level for each account and help you decide which ones to delete.  

Use two-factor authentication:

Two-factor authentication is an extra layer of defense on top of your username and password. It adds a one-time-use code to access your login procedure, typically sent to your smartphone by text or call. Together, that makes it tougher for a crook to hack your account if they get hold of your username and password. If any of your accounts support two-factor authentication, the few extra seconds it takes to set up is more than worth the big boost in protection you’ll get. 

Protect yourself from cybercriminals on the dark web 

The “dark” in the dark web stands for anonymity. And with anonymity, all kinds of activity follow. Good and bad.  

From a security standpoint, the dark web is a haven for all manner of cybercriminals. Understanding how they use the dark web can help you protect yourself from their activities. You have tools for prevention, and you have resources available if your information ends up there or leads to identity theft.  

By putting a face on the dark web, you put a face on cybercrime and can help reduce the risk of it happening to you.  

The post What is the Dark Web? The Answer Can Help You Stay Safer Online. appeared first on McAfee Blog.

Read More

The criminal enterprise resulted in losses of up to $1m

Read More