Xeno RAT, short for Remote Access Trojan, is a new player in the cybersecurity landscape. It’s an open-source tool that has been intricately designed and made available on GitHub, making it accessible to other actors at no extra cost.

The developer of Xeno RAT, who goes by the name moom825, has written the RAT in C#, a popular programming language known for its versatility and efficiency. This choice of language contributes to the intricate design of Xeno RAT, allowing it to have a comprehensive set of features for remote system management.

One of the key aspects of Xeno RAT is its compatibility. It is designed to work seamlessly with both Windows 10 and Windows 11 operating systems. This broad compatibility makes it a potent tool as it can target a wide range of systems.

The availability of Xeno RAT on GitHub is a double-edged sword. On one hand, it allows for greater transparency and the potential for legitimate use cases. On the other hand, it also means that malicious actors can easily access and use this tool for nefarious purposes.

Features of Xeno RAT

Xeno RAT is equipped with a comprehensive set of features that make it a potent tool for remote system management. Here are some of the key features:

1. SOCKS5 Reverse Proxy: Xeno RAT includes a SOCKS5 reverse proxy. This feature allows it to route its network traffic through a third-party server, making it harder for defenders to trace back to the source. It also enables the RAT to bypass network restrictions and firewalls, providing unfiltered access to the internet.
2. Real-Time Audio Recording: One of the more invasive features of Xeno RAT is its ability to record real-time audio. This means it can activate the microphone on the infected system and transmit the audio back to the attacker. This feature could potentially be used for eavesdropping on private conversations or meetings.
3. Hidden Virtual Network Computing (hVNC) Module: Xeno RAT incorporates a hidden Virtual Network Computing (hVNC) module. This feature allows attackers to gain remote access to an infected computer. It’s similar to DarkVNC and enables the attacker to control the system as if they were physically present, all while remaining hidden from the user.

These features, combined with its intricate design and broad compatibility, make Xeno RAT a significant threat in the cybersecurity landscape. It’s a stark reminder of the need for robust security measures and constant vigilance in the face of evolving cyber threats.

The Developer Behind Xeno RAT :

The developer of Xeno RAT goes by the pseudonym moom825. While not much is known about the individual behind this alias, their work speaks volumes about their skills and approach to developing remote access tools.

moom825 has demonstrated a unique approach to creating remote access tools, choosing to develop them from scratch. This approach ensures that the tools are tailored to specific needs and are not just modifications of existing tools. It also allows for a greater understanding of the tool’s functionality, as every aspect of it has been hand-coded by the developer.

In addition to Xeno RAT, moom825 is also the developer of another C#-based RAT called DiscordRAT 2.0. This tool has been distributed by threat actors within a malicious npm package named node-hide-console-windows, as disclosed by ReversingLabs in October 2023.

moom825’s decision to make these tools open-source and available on GitHub suggests a commitment to transparency and a belief in the power of community collaboration. However, it also raises concerns about the potential misuse of these powerful tools.

Bespoke Variants of Xeno RAT

One of the unique features of Xeno RAT is its builder, which allows for the creation of bespoke variants of the malware. This feature is particularly noteworthy as it enables customization of the RAT based on the specific needs and objectives of the user.

The builder essentially functions as a toolkit, providing the user with a range of options and parameters that can be adjusted to create a customized version of Xeno RAT. This could include modifications to the RAT’s functionality, its method of infection, or its evasion techniques.

The ability to create bespoke variants of the malware significantly enhances its versatility and effectiveness. It allows threat actors to tailor the RAT to their specific target environment, increasing the chances of successful infiltration and persistence.

However, it’s important to note that this feature also presents significant challenges from a cybersecurity perspective. The ability to create bespoke variants of the malware makes it more difficult for security solutions to detect and mitigate the threat, as each variant may exhibit different behaviors and characteristics.

moom825’s Other Projects:

DiscordRAT 2.0 is a Remote Administration Tool (RAT) developed by moom825. It’s fully written in C# and has a stub size of around 75kb. This tool is controlled over Discord and comes with over 40 post-exploitation modules.

Here are some key features and commands of DiscordRAT 2.0:

• Token grabber
• Webcam
• Builder
• Message box: !message command shows a message box displaying your text.
• Shell command: !shell command executes a shell command.
• Voice: !voice command makes a voice say out loud a custom sentence.
• Admin check: !admincheck command checks if the program has admin privileges.
• Directory change: !cd command changes the directory.
• Directory display: !dir command displays all items in the current directory.
• File download: !download command downloads a file from the infected computer.
• File upload: !upload command uploads a file to the infected computer.
• File deletion: !delete command deletes a file.
• Typing: !write command types your desired sentence on the computer.
• Wallpaper change: !wallpaper command changes the infected computer’s wallpaper.
• Clipboard retrieval: !clipboard command retrieves the infected computer’s clipboard content.
• Idle time check: !idletime command gets the idle time of the user on the target computer.
• Current directory display: !currentdir command displays the current directory.
• Keyboard and mouse block: !block command blocks the user’s keyboard and mouse.
• Keyboard and mouse unblock: !unblock command unblocks the user’s keyboard and mouse.
• Screenshot: !screenshot command gets the screenshot of the user’s current screen.
• Program exit: !exit command exits the program.
• Session kill: !kill command kills a session or all sessions.
• UAC bypass: !uacbypass command attempts to bypass UAC to gain admin by using windir and slui.
• Shutdown: !shutdown command shuts down the computer.
• Restart: !restart command restarts the computer.
• Logoff: !logoff command logs off the current user.
• BlueScreen: !bluescreen command causes a BlueScreen on the PC.
• Date and time display: !datetime command displays the system date and time.

Please note that this tool is for educational use only, and the author will not be held responsible for any misuse of this tool.

Dissemination of Xeno RAT:.

Xeno RAT is a potent malware written in C# with advanced capabilities. The malware’s developer has chosen to maintain it as an open-source project and made it accessible via GitHub.

A threat actor customized its settings and disseminated it via the Discord Content Delivery Network (CDN). The primary vector is in the form of a shortcut file, disguised as a WhatsApp screenshot, which acts as a downloader. This downloader fetches and executes subsequent payloads from the Discord CDN.

The malware employs a multi-step process to generate the ultimate payload. It looks for debuggers, monitoring, and analysis tools before executing the final stage. It also uses extensive obfuscation techniques within files/code to evade detection effectively.

The Role of Affordable and Freely Available Malware:

The rise in affordable and freely available malware is indeed driving an increase in campaigns utilizing Remote Access Trojans (RATs). Here are some reasons why:

1. Ease of Access and Use: There are numerous RATs available for free and for purchase in online forums, chat rooms, and marketplaces on the Internet. Most RATs are easy to use and thus attract novices. They are used for a variety of criminal activity, including cyber espionage.
2. Malware ‘Meal Kits’: The availability of malware ‘meal kits’ for less than $100 is fueling a surge in RAT campaigns. These kits often come with user-friendly interfaces and detailed instructions, making it easy for even non-technical individuals to launch sophisticated attacks.
3. Adaptability: RATs are controlled directly by humans, who have the ability to adapt to network defenses. This makes them a versatile tool in the hands of cybercriminals.
4. Disguise and Deception: Threat actors often use RATs in a deliberate effort to blend in with traditional cybercrime groups, who also use these same tools. This makes it difficult for analysts to distinguish and correlate the activity of targeted threat actors.
5. Advanced Capabilities: With advancements in the attack chain, most next-gen security solutions have become futile. RATs provide the ability to gain administrative control over a target’s network, and threat actors are usually able to disable whatever antivirus tool is installed quickly.
6. Targeted Attacks: Some operations may be part of a targeted attack that seeks to disguise itself and its possible targets, by using spam services to launch the attacks.

The ubiquity of these RATs makes it difficult to determine if a particular security incident is related to a targeted threat, cybercrime, or just a novice ‘script kiddie’ causing a nuisance. However, the activity of particular threat actors can still be tracked by clustering command and control server information as well as the information that is set by the operators in the builder.

The Multi-Stage Sequence of Xeno RAT:

DLL side-loading is a technique that allows malware to blend in with legitimate processes and avoid detection. It involves the proxy execution of a malicious DLL via a benign executable planted in the same directory. This abuses the Windows behavior of loading the DLL from where the application was loaded prior to other locations such as system directories.

Here’s how Xeno RAT uses DLL side-loading and other techniques to establish persistence and evade detection:

1. Initial Access: A threat actor obtains initial access to an endpoint, either via an application vulnerability, compromised credentials, successful phish, trojanized installer, or even a trusted insider.
2. Payload Download: The primary vector is in the form of a shortcut file, disguised as a WhatsApp screenshot, which acts as a downloader. This downloader fetches and executes subsequent payloads from the Discord CDN.
3. Multi-Step Process: A multi-step process is employed to generate the ultimate payload of the malware. It looks for debuggers, monitoring, and analysis tools before executing the final stage.
4. DLL Side-Loading: The malware leverages the DLL search order functionality in Windows to load the malicious DLL into a trusted executable process.
5. Process Injection: It injects the malicious code (process injection) into a legit windows process.
6. Persistence: The malware adds itself as a scheduled task for persistence.
7. Obfuscation: It employs extensive obfuscation techniques within files/code to evade detection effectively.
8. C2 Communication: The malware communicates with its command and control server with status updates and receives instructions at regular intervals.

Cybersecurity Measures Against Xeno RAT:

To protect against threats like Xeno RAT, the following cybersecurity measures can be taken:

1. Threat Intelligence: Implement threat intelligence to proactively counter the threats associated with Xeno RAT malware.
2. Endpoint Security Solutions: Use robust endpoint security solutions for real-time monitoring and threat detection.
3. Network Security: Implement robust network security measures, including firewalls and intrusion detection systems.
4. User Awareness: Foster a culture of cybersecurity awareness, encouraging users to report suspicious activities promptly.
5. Application Whitelisting: Employ application whitelisting to control the execution of unauthorized programs.
6. Continuous Monitoring: Continuous monitoring of the network activity with Network Intrusion Detection Systems (NIDS) and Network Intrusion Prevention Systems (NIPS) is crucial.
7. Regular Updates: Keep all software and systems up-to-date to patch any known vulnerabilities that could be exploited.
8. Strong Passwords: Use strong, unique passwords and enable two-factor authentication wherever possible.
9. Avoid Suspicious Links and Attachments: Be wary of unsolicited emails, messages, and links. Do not download or open attachments from unknown sources.
10. Backup Important Data: Regularly backup important data and ensure it can be restored easily in case of a malware attack.

Remember, no single measure can provide complete protection against cyber threats. A layered approach combining multiple strategies is the most effective way to secure your systems and data. Always stay vigilant and informed about the latest threats and security practices. Be ethical and responsible!

At Maagsoft Inc, we are your trusted partner in the ever-evolving realms of cybersecurity, AI innovation, and cloud engineering. Our mission is to empower individuals and organizations with cutting-edge services, training, and AI-driven solutions. Contact us at contact@maagsoft.com to embark on a journey towards fortified digital resilience and technological excellence.