A stealthy remote access trojan (RAT) known as ‘SeroXen’ has gained popularity among cybercriminals due to its low detection rates and powerful capabilities. AT&T reports that the malware is being sold under the guise of a legitimate remote access tool for Windows 11 and 10, with prices ranging from $15/month to a “lifetime” license payment of $60.
While marketed as a legitimate program, SeroXen is being promoted as a RAT on hacking forums, although it remains uncertain whether these promoters are the developers or shady resellers. AT&T has observed a significant increase in SeroXen activity recently, with hundreds of samples detected since its creation in September 2022.
Primarily targeting the gaming community, SeroXen’s low cost makes it accessible to a wide range of threat actors. However, as its popularity continues to grow, there are concerns that its scope may expand to include larger organizations and companies.
SeroXen is built upon open-source projects such as Quasar RAT, the r77 rootkit, and NirCmd command line tool, offering a combination that makes the trojan more difficult to detect in static and dynamic analysis. Quasar RAT, the foundation of SeroXen, is a lightweight remote administration tool with various features, including reverse proxy, remote shell, remote desktop, TLS communication, and file management capabilities.
AT&T has observed SeroXen being distributed through phishing emails and Discord channels, where cybercriminals distribute ZIP archives containing heavily obfuscated batch files. The batch files extract encoded binaries and load them into memory using .NET reflection, while a modified version of msconfig.exe is temporarily stored in the “C:\Windows \System32” directory for malware execution.
This batch file then deploys a variant of the r77 rootkit named “InstallStager.exe.” The rootkit, stored in an obfuscated form in the Windows registry, is activated using PowerShell via the Task Scheduler, injecting it into “winlogon.exe.” By injecting the payload into memory, the r77 rootkit ensures that the SeroXen RAT remains undetected and enables remote access to the compromised device.
Once launched, the SeroXen RAT establishes communication with a command and control server, waiting for commands issued by the attackers.
AT&T warns that the increasing popularity of SeroXen could attract hackers interested in targeting larger organizations, emphasizing the need for network defenders to be vigilant. In response, AT&T has released indicators of compromise to assist in detecting and mitigating SeroXen attacks.
