iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Security researchers have uncovered a stealthy new remote access that is being used — for the moment — to largely target video gamers.
The SeroXen has been available since late 2022 and has grown in popularity ever since.
Researchers at AT&T Alien Labs have noted individuals on gaming forums complaining about a malware infection that matches the behaviour of SeroXen, and it’s been known to be spread via cheats for popular games such as Fortnite and Call of Duty: Warzone. It’s even been distributed via chat and messaging platform Discord, which is also popular with gamers.
The remote access Trojan’s (RAT) popularity is based on a combination of functionality and price. At the time of writing, SeroXen is available to purchase for a monthly fee of US$30, or can be purchased outright for just US$60.
SeroXen itself is a combination of a number of open-source projects that have been around for some time — Quasar RAT, the NirCmd command line tool, and r77-rootkit.
Quasar is, in fact, a legitimate remote administration tool, but it has been in use by threat actors since 2017 and was first released in 2014, though it has been continually updated since then.
SeroXen is packaged as an “obfuscated PowerShell batch file”, which makes it effectively fileless and very hard to detect. It’s also relatively large for what it is — about 12 to 14 megabytes in size — which could lead to some anti-virus software filing to analyse it. It also only executes in a machine’s memory and also features a raft of other features that allow the RAT to detect if it is being run in a virtual machine or other sandbox.
If it detects that it is being run in such an environment, it will abort execution, and so delay threat analysis.
The only file that SeroXen does create is a hacked version of msconfig.exe, but this is dropped in a folder that looks legitimate and is then deleted once the malware is up and running after being injected into running processes.
“The SeroXen developer has found a formidable combination of free resources to develop a hard to detect in static and dynamic analysis RAT,” Alien Labs wrote in a blog post. “The use of an elaborated open-source RAT like Quasar, with almost a decade since its first appearance, makes an advantageous foundation for the RAT. While the combination of NirCMD and r77-rootkit are logical additions to the mix, since they make the tool more elusive and harder to detect.”
“Hundreds of samples have shown up since [SeroXen’s] creation, being most popular in the gaming community. It is only a matter of time before it is used to target companies instead of individual users.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
