Read Time:12 Minute, 34 Second

This blog was jointly written with Alejandro Prada and Ofer Caspi.

Executive summary

SeroXen is a new Remote Access Trojan (RAT) that showed up in late 2022 and is becoming more popular in 2023. Advertised as a legitimate tool that gives access to your computers undetected, it is being sold for only $30 for a monthly license or $60 for a lifetime bundle, making it accessible.

Key takeaways:

SeroXen is a fileless RAT, performing well at evading detections on static and dynamic analysis.
The malware combines several open-source projects to improve its capabilities. It is a combination of Quasar RAT, r77-rootkit and the command line NirCmd.
Hundreds of samples have shown up since its creation, being most popular in the gaming community. It is only a matter of time before it is used to target companies instead of individual users.

Analysis

Quasar RAT is a legitimate open-source remote administration tool. It is offered on github page to provide user support or employee monitoring. It has been historically associated with malicious activity performed by threat actors, APT groups (like in this Mandiant report from 2017), or government attacks (in this report by Unit42 in 2017).

It was first released in July 2014 as “xRAT” and renamed to “Quasar” in August 2015. Since then, there have been released updates to the code until v1.4.1 in March 2023, which is the most current version. As an open-source RAT tool with updates 9 years after its creation, it is no surprise that it continues to be a common tool used by itself or combined with other payloads by threat actors up to this day.

In a review of the most recent samples, a new Quasar variant was observed by Alien Labs in the wild: SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT. They’re selling it for monthly or lifetime fee. Figure 1 contains some of the features advertised on their website.

Figure 1. SeroXen features announced on its website.

This new RAT first showed up on a Twitter account, established in September 2022. The person advertising the RAT appeared to be an English-speaking teenager. The same Twitter handle published a review of the RAT on YouTube. The video approached the review from an attacking/Red Team point of view, encouraging people to buy the tool because it is worth the money. They were claiming to be a reseller of the tool.

In December 2022, a specific domain was registered to market/sell the tool, seroxen[.]com. The RAT was distributed via a monthly license for $30 USD or a lifetime license of $60 USD. It was around that time that the malware was first observed in the wild, appearing with 0 detections on VirusTotal.

After a few months, on the 1st of February, the YouTuber CyberSec Zaado published a video alerting the community about the capabilities of the RAT from a defensive perspective. In late February, the RAT was advertised on social media platforms such as TikTok, Twitter, YouTube, and several cracking forums, including hackforums. There were some conversations on gaming forums complaining about being infected by malware after downloading some video games. The artifacts described by the users matched with SeroXen RAT.

The threat actor updated the domain name to seroxen[.]net by the end of March. This domain name was registered on March 27th, 2023, after seroxen[.]com was decommissioned. The threat actor used GoDaddy for registration and Cloudflare for hosting the website. These domains are only used for selling and marketing purposes, and not for Command and Control (C&C) communications.

Figure 2: SeroXen website

Based on the packed versions uploaded to VT, it appears that the RAT is being used for targeting video game users. Several lure injector cheat files have been observed with names invoking popular videogames such as Fortnite, Valorant, Roblox or Warzone2. The threat actor used Discord for the distribution of some of the samples.

Figure 3. SeroXen timeline.

One of the most relevant announced features is that it is a fully undetectable version. This is currently true from a static analysis point of view, since the RAT is packaged into an obfuscated PowerShell batch file. The file’s size typically ranges between 12-14 megabytes, as we can see in sample 8ace121fae472cc7ce896c91a3f1743d5ccc8a389bc3152578c4782171c69e87 uploaded to VT on May 21. Due to its relatively large size, certain antivirus may choose not to analyze it, potentially bypassing detection. This sample currently has 0 detections on VT, but some of the crowdsourced Sigma Rules do detect the activity as suspicious.

As the malware is fileless and executed only in memory after going through several decryptions and decompression routines, it is more difficult to detect by antiviruses. In addition, its rootkit loads a fresh copy of ntdll.dll, which makes it harder to detect by Endpoint Detection & Response (EDR) solutions that hook into it to detect process injections.

Regarding the dynamic analysis, it is worth noting that some sandbox environments might fail to detect the RAT due to its utilization of several techniques to evade virtualization and sandbox detection mechanisms and string encryption subsequent payloads.

The RAT employs anti-debugging techniques by leveraging Windows Management Instrumentation (WMI) to identify the system’s manufacturer. This enables it to identify virtualization environments such as VMware and abort the execution to delay and make the analysis harder. The RAT also checks for the presence of debuggers and uses pings make the threads sleep.

Currently, most child processes and files dropped during the execution of the RAT have a low detection rate.

Execution analysis

When the malicious payload is delivered to the victim, commonly through a phishing mail or a Discord channel – the victim often receives a ZIP file containing a benign file in plain sight, and the heavily obfuscated batch file is hidden and automatically executed when launched. The bat file format is always very similar and looks like the contents of Figure 4, followed by base64 encoded text later in the file.

Figure 4. Obfuscated bat script.

During the bat execution, the script extracts two separate binaries from the base64 encoded text, AES decrypts, and GZIP decompresses it to produce two separate byte arrays. These byte arrays are then used with .NET reflection to perform an in-memory load of the assembly from its bytes, locate the binary’s entry point, and perform an Invoke on both.

Throughout the decryption process, the attackers had the need to create a legitimate looking folder to drop an illicit version of the System Configuration Utility msconfig.exe that is required later. For this purpose, the script creates the folder “C:Windows System32”, with a space after Windows and deletes it as soon as the utility is running. If it wasn’t for this file temporarily dropped into disk, the RAT would be fully fileless.

The execution of one of the above-mentioned binaries leads to another obfuscated binary carrying an embedded resource. This resource is hidden behind anti-sandboxing and debugger techniques, only to lead to more obfuscation and encryption techniques that lead to the final payload. This payload has been built using the Github project Costura, which allows SeroXen to pack the code’s dependencies into the .NET assembly so it can run self-contained.

Figure 5. Payload embedded resources.

The extraction of the resources leads to the final payloads. This is in the form of two .NET assemblies: CSStub2.InstallStager.exe, and CSStub2.UninstallStager.exe. And a Win32 binary called CSStub2.$sxr-nircmd.exe, which corresponds to the unmodified command-line utility NirCmd.

The payload InstallStager.exe is a compilation of the open-source rootkit named r77-rootkit – a fileless ring 3 rootkit written in .NET. This rootkit supports both x32 and x64 Windows processes and has the following features:

Fileless persistence: The rootkit is stored as obfuscated data in the registry and is spawned with PowerShell via Task Scheduler to be injected into the winlogon.exe process.
Child process hooking.
Option to embed additional malware to be executed with the rootkit – in this case NirCmd and/or Quasar. The added malware will be decompressed and decrypted before it is injected into other processes.
In memory process injection: the rootkit injects itself and additional malware(s) into all processes. Injection is done from memory: no files are needed to be stored on disk.
Hooking: Hooks several functions from ntdll.dll to hide its presence.
Communicating via NamedPipe: The rootkit can receive a command from any running process.
Antivirus / EDR evasion: The rootkit uses several evasion techniques:

AMSI bypass: PowerShell inline script patches “amsi.dll!AmsiScanBuffer” to always return “AMSI_RESULT_CLEAN”.
DLL unhooking: Removes EDR hooks by loading a fresh copy of “ntdll.dll” from disk to avoid process hollowing detection

Hiding entities: Hiding all entities starts with a configurable prefix, which in SeroXen’s case its “$sxr”. This prefix hardens the visualization of the attack on the system, but eases attribution of the malware family during the analysis. The prefix is used to hide files, directories, NamedPipes, scheduled tasks, processes, registry keys/values, and services.

R77 technical documentation provides a guideline of where can the prefix be found:

Config parameter

Details

Example

HIDE_PREFIX

The prefix for name-based hiding (e.g. processes, files, etc…).

L”$sxr”

R77_SERVICE_NAME32

Name for the scheduled task that starts the r77 service for 32-bit processes.

HIDE_PREFIX L”svc32″

R77_SERVICE_NAME64

Name for the scheduled task that starts the r77 service for 64-bit processes.

HIDE_PREFIX L”svc64″

CHILD_PROCESS_PIPE_NAME32

Name for the named pipe that notifies the 32-bit r77 service about new child processes.

L”\\.\pipe\” HIDE_PREFIX L”childproc32″

CHILD_PROCESS_PIPE_NAME64

Name for the named pipe that notifies the 64-bit r77 service about new child processes.

L”\\.\pipe\” HIDE_PREFIX L”childproc64″

CONTROL_PIPE_NAME

Name for the named pipe that receives commands from external processes.

L”\\.\pipe\” HIDE_PREFIX L”control”

 

The two main components in this project are the InstallStager service and the Rootkit. The InstallStager service is responsible for:

Creating a registry key to store the malware code and writes it as encrypted data.
Creating a scheduled task to execute the malware using PowerShell. PowerShell will decompress and decrypt the final payload (Service) that will be injected into the winlogon.exe process and executed via dllhost.exe using process hollowing techniques.

Figure 6. Starting payload after decryption using process hollowing.

Now the second and main stage of the Rootkit is ready to start. The service kicks off the load of the rootkit’s DLL that is embedded as a resource and saves its configuration as a registry key. (In SeroXen case it’s [HKEY_LOCAL_MACHINESOFTWARE$sxrconfig]).

The service creates 3 listener threads:

NewProcessListener: Enumerates all running processes and injects the rootkit when new processes are created.
ChildProcessListener: Injects the rootkit to a newly created process by another process and updates the callee via NamedPipe.

Figure 7. Child process injection.

ControlPipeListener: Creates a NamedPipe to receive commands from any process. Supported commands are listed below:

Command

Details

CONTROL_R77_UNINSTALL

The control code that uninstalls r77.

CONTROL_R77_PAUSE_INJECTION

The control code that temporarily pauses injection of new processes.

CONTROL_R77_RESUME_INJECTION

The control code that resumes injection of new processes.

CONTROL_PROCESSES_INJECT

The control code that injects r77 into a specific process, if it is not yet injected.

CONTROL_PROCESSES_INJECT_ALL

The control code that injects r77 into all processes that are not yet injected.

CONTROL_PROCESSES_DETACH

The control code detaches r77 from a specific process.

CONTROL_PROCESSES_DETACH_ALL

The control code detaches r77 from all processes.

CONTROL_USER_SHELLEXEC

The control code that executes a file using ShellExecute.

CONTROL_USER_RUNPE

The control code that executes an executable using process hollowing.

CONTROL_SYSTEM_BSOD

The control code that triggers a BSOD.

CONTROL_R77_TERMINATE_SERVICE

The control code that terminates the r77 service.

 

The DLL rootkit carries out process injections, executes commands received by other processes, and keeps out of sight any sign of SeroXen being executed within the system.

Figure 8. System function hooking.

As a summary of the execution process:

Figure 9. SeroXen decryption flow.

Since Seroxen is based on QuasarRAT, the C&C server utilizes the same Common Name in their TLS certificate. The functionalities offered by the threat actor for the C&C server closely mirror those found in the Quasar Github repository, including support for TCP network streams (both IPv4 and IPv6), efficient network serialization, compression using QuickLZ, and secure communication through TLS encryption.

Figure 10. Quasar Server Certificate.

 

Conclusion

The SeroXen developer has found a formidable combination of free resources to develop a hard to detect in static and dynamic analysis RAT. The use of an elaborated open-source RAT like Quasar, with almost a decade since its first appearance, makes an advantageous foundation for the RAT. While the combination of NirCMD and r77-rootkit are logical additions to the mix, since they make the tool more elusive and harder to detect.

The Alien Labs team will continue to monitor the threat landscape for SeroXen samples and infrastructure.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

SURICATA IDS SIGNATURES

2035595: ET TROJAN Generic AsyncRAT Style SSL Cert

2027619: ET TROJAN Observed Malicious SSL Cert (Quasar CnC)

 

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

 

TYPE

INDICATOR

DESCRIPTION

SHA256

8ace121fae472cc7ce896c91a3f1743d5ccc8a389bc3152578c4782171c69e87

Example malware hash

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

TA0002 : Execution 
T1053: Scheduled Task/Job 
T1053.005: Scheduled Task 
T1059: Command and Scripting Interpreter 
T1059.003: Windows Command Shell 
TA0003: Persistence 
T1547: Boot or Logon Autostart Execution 
T1547.001 Registry Run Keys / Startup Folder 
TA0004: Privilege Escalation 
T1548: Abuse Elevation Control Mechanism 
T1548.002: Bypass User Account Control 
TA0005: Defense Evasion 
T1112: Modify Registry 
T1553: Subvert Trust Controls 
T1553.002: Code Signing 
T1564: Hide Artifacts 
T1564.001: Hidden Files and Directories 
T1564.003: Hidden Window 
TA0006: Credential Access 
T1552: Unsecured Credentials 
T1552.001: Credentials In Files 
T1555: Credentials from Password Stores 
T1555.003: Credentials from Web Browsers 
TA0007: Discovery 
T1016: System Network Configuration Discovery 
T1033: System Owner/User Discovery 
T1082: System Information Discovery 
T1614: System Location Discovery 
TA0008: Lateral Movement 
T1021: Remote Services 
T1021.001: Remote Desktop Protocol 
TA009: Collection 
T1005: Data from Local System 
T1056: Input Capture 
T1056.001: Keylogging 
T1125: Video Capture 
TA0011: Command and Control 
T1090: Proxy 
T1095: Non-Application Layer Protocol  
T1105: Ingress Tool Transfer 
T1571: Non-Standard Port 
T1573: Encrypted Channel: 
T1573.001: Symmetric Cryptography 

References:

Seroxen webpage
Seroxen features
Quasar RAT
NirCmd – Windows command line tool (nirsoft.net)
R77-rootkit

Read More