Security researchers are tracking a new fileless RAT named SeroXen that has the capability to evade many EDR systems and is a fork of a legitimate remote administration tool that has been in use for many years.
SeroXen has been in circulation for a few months now and researchers say it is being offered for sale in a number of places, including on social media platforms and hacking forums. The RAT is a fork of Quasar, an open source remote administration tool, which some APT groups have abused for their own purposes in the past. Some groups have created their own customized versions of the RAT, a common practice with legitimate open source tools. SeroXen first emerged in September 2022 and is being openly sold for a $30 monthly fee.
Researchers at AT&T Alien Labs have been tracking and analyzing the SeroXen RAT and found that it is currently not detected by any of the antimalware tools on Virus Total.
“One of the most relevant announced features is that it is a fully undetectable version. This is currently true from a static analysis point of view, since the RAT is packaged into an obfuscated PowerShell batch file. The file's size typically ranges between 12-14 megabytes, as we can see in sample 8ace121fae472cc7ce896c91a3f1743d5ccc8a389bc3152578c4782171c69e87 uploaded to VT on May 21. Due to its relatively large size, certain antivirus may choose not to analyze it, potentially bypassing detection,” AT&T researchers said.
“This sample currently has 0 detections on VT, but some of the crowdsourced Sigma Rules do detect the activity as suspicious. As the malware is fileless and executed only in memory after going through several decryptions and decompression routines, it is more difficult to detect by antiviruses. In addition, its rootkit loads a fresh copy of ntdll.dll, which makes it harder to detect by Endpoint Detection & Response (EDR) solutions that hook into it to detect process injections.”
Attackers typically deliver the SeroXen RAT either through phishing emails or on Discord channels. The malware downloads a benign ZIP file and a hidden batch file that executes automatically. After a few more intermediate steps, the final payload of two .NET arrays is installed. One of those arrays is a rootkit that has an array of capabilities, including fileless persistence, in-memory process injection, EDR evasion, and function hooking,
“Since Seroxen is based on QuasarRAT, the C&C server utilizes the same Common Name in their TLS certificate. The functionalities offered by the threat actor for the C&C server closely mirror those found in the Quasar Github repository, including support for TCP network streams (both IPv4 and IPv6), efficient network serialization, compression using QuickLZ, and secure communication through TLS encryption,” the researchers said.
Many cybercrime groups and other threat actors adopt and abuse open source or legitimate commercial tools in their operations, with Cobalt Strike and Mimikatz being prime examples.