A potent cybersecurity threat has emerged with the discovery of an intricately designed remote access trojan (RAT) called Xeno RAT, now available on GitHub. Developed in C# and compatible with Windows 10 and Windows 11, it boasts a comprehensive set of features for remote system management, including a SOCKS5 reverse proxy and the ability to record real-time audio. Notably, the trojan has a hidden virtual network computing (hVNC) module, akin to DarkVNC, enabling attackers to gain remote access to compromised systems.
What sets Xeno RAT apart is its unique development from scratch, ensuring a tailored approach to remote access tools. Additionally, the RAT includes a builder that allows the creation of bespoke variants of the malware, enhancing its adaptability and potential impact. The developer, known as moom825, is also associated with DiscordRAT 2.0, highlighting a concerning pattern of distributing C#-based RATs. Recent observations by cybersecurity firm Cyfirma reveal Xeno RAT being disseminated through the Discord content delivery network (CDN), emphasizing the surge in campaigns utilizing RATs due to the availability of affordable and freely accessible malware.
Cybersecurity experts warn that the primary vector for Xeno RAT involves a disguised shortcut file, masquerading as a WhatsApp screenshot, acting as a downloader. This downloader fetches a ZIP archive from Discord CDN, executing the next stage payload. The multi-stage sequence employs DLL side-loading, establishing persistence, and evading analysis to ensure the trojan’s longevity and effectiveness. As the cybersecurity landscape witnesses the rise of sophisticated threats like Xeno RAT, organizations must remain vigilant and implement robust security measures to mitigate potential risks.
