SeroXen Remote Access Trojan Used to Attack Gamers; bigger goals could follow

SeroXen Remote Access Trojan Used to Attack Gamers; bigger goals could follow

SeroXen Remote Access Trojan Used to Attack Gamers; bigger goals could follow

Security researchers have discovered a new stealth remote access that is being used, for the moment, to primarily target video games.

SeroXen has been available since late 2022 and has increased in popularity since then.

AT&T Alien Labs researchers have observed people on gaming forums complaining about a malware infection that matches the behavior of SeroXen, and is known to spread via cheats for popular games such as fortnite and Call of Duty: Warzone. It has even been distributed through the chat and messaging platform Discord, which is also popular among gamers.

The popularity of the Remote Access Trojan (RAT) is based on a combination of functionality and price. At the time of writing, SeroXen is available for purchase for a monthly fee of US$30, or can be purchased outright for just US$60.

SeroXen itself is a combination of several open source projects that have been around for some time: Quasar RAT, the NirCmd command line tool, and r77-rootkit.

Quasar is, in fact, a legitimate remote administration tool, but it has been used by threat actors since 2017 and was first released in 2014, although it has been continually updated since then.

SeroXen is packaged as an “obfuscated PowerShell batch file,” making it effectively fileless and very difficult to detect. It’s also relatively large for what it is (between 12 and 14 megabytes in size), which could lead to it being scanned by some antivirus software. It also only runs in one machine’s memory and also introduces a number of other features that allow the RAT to detect whether it is running in a virtual machine or other sandbox.

If it detects that it is running in such an environment, it will abort the execution and therefore delay the threat analysis.

The only file SeroXen creates is a hacked version of msconfig.exe, but it is placed in a legitimate-looking folder and then deleted once the malware is up and running after injecting it into running processes.

“The SeroXen developer has found a formidable combination of free resources to develop a RAT that is difficult to detect in static and dynamic analysis,” Alien Labs wrote. in a blog post. “The use of an open-source elaborate RAT such as Quasar, almost a decade since its first appearance, provides an advantageous foundation for the RAT. “While the combination of NirCMD and r77-rootkit are logical additions to the mix as they make the tool more elusive and difficult to detect.”

“Since then hundreds of samples have appeared. [SeroXen’s] creation, being the most popular in the gaming community. It is only a matter of time before it is used for businesses rather than individual users.”

Leave a Reply

Your email address will not be published. Required fields are marked *