BTC $57054.0562
ETH $3243.0497
BNB $394.9600
SOL $108.4177
XRP $0.5865
stETH $3239.3493
ADA $0.6239
AVAX $39.2702
DOGE $0.0977
TRX $0.1428
wstETH $3750.7519
DOT $8.3691
LINK $19.0300
WETH $3348.6813
MATIC $1.0282
UNI $10.8579
WBTC $56903.9273
IMX $3.3452
ICP $13.0217
BCH $292.5040
LTC $74.0124
CAKE $3.1570
ETC $28.0992
LEO $4.3640
FIL $7.6578
KAS $0.1689
RNDR $7.2011
DAI $1.0000
ATOM $11.2097
HBAR $0.1082
INJ $40.1071
VET $0.0489
TON $2.1280
OKB $51.4855
FDUSD $0.9985
LDO $3.4670
STX $2.9465
XMR $135.8398
XLM $0.1230
ARB $1.8948
NEAR $3.9608
TIA $17.0031
WEMIX $2.3756
GRT $0.2795
ENS $22.1963
MKR $2154.9330
APEX $2.3329
BTC $57054.0562
ETH $3243.0497
BNB $394.9600
SOL $108.4177
XRP $0.5865
stETH $3239.3493
ADA $0.6239
AVAX $39.2702
DOGE $0.0977
TRX $0.1428
wstETH $3750.7519
DOT $8.3691
LINK $19.0300
WETH $3348.6813
MATIC $1.0282
UNI $10.8579
WBTC $56903.9273
IMX $3.3452
ICP $13.0217
BCH $292.5040
LTC $74.0124
CAKE $3.1570
ETC $28.0992
LEO $4.3640
FIL $7.6578
KAS $0.1689
RNDR $7.2011
DAI $1.0000
ATOM $11.2097
HBAR $0.1082
INJ $40.1071
VET $0.0489
TON $2.1280
OKB $51.4855
FDUSD $0.9985
LDO $3.4670
STX $2.9465
XMR $135.8398
XLM $0.1230
ARB $1.8948
NEAR $3.9608
TIA $17.0031
WEMIX $2.3756
GRT $0.2795
ENS $22.1963
MKR $2154.9330
APEX $2.3329
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Stealthy New Trojan SeroXen RAT Bypasses Antiviruses and Gives Hackers Full Access to Targeted Computers

    So far, the tool is used against ordinary gamers, but sooner or later its popularity will also endanger the corporate sector.

    AT&T has discovered a new remote access Trojan called SeroXen RAT, which has recently become extremely popular among cybercriminals due to its high stealth and powerful capabilities.

    On legitimate sites, the malware is sold as an absolutely legal program for remote control of computers with Windows 10 and 11 on board. The price is ridiculous - $ 15 per month or $ 60 for a "lifetime" license.

    However, cyber-intelligence platform Flare Systems has discovered that SeroXen is advertised on hacker forums as a remote access Trojan. And it is absolutely unclear whether those who are promoting the Trojan on the forums are its developers or just fraudulent "outbidding".

    The low cost of the Trojan makes it very accessible to attackers. AT&T has been celebrating hundreds of designs since its inception in September 2022, with activity still growing.

    Most SeroXen victims are casual gamers, but as the tool grows in popularity, the target audience may expand to include large companies and organizations.

    SeroXen is based on various open source projects including Quasar RAT, r77 rootkit and NirCmd. “The developer of SeroXen has identified a strong combination of free resources to create a Trojan that is difficult to detect in both static and dynamic analysis. The use of the open source Quasar trojan, which appeared almost ten years ago, provides a solid foundation, and the combination of NirCMD and r77-rootkit is a logical addition to the mix, as they make the tool much more stealthy,” AT&T comments in its report.

    Quasar RAT is a remote administration tool first released in 2014. Its latest version, 1.41, has reverse proxy, remote shell, remote desktop, TLS communication, and file management features. The tool is freely available via GitHub.

    The r77 (Ring 3) rootkit is an open source rootkit that offers fileless persistence on the target system, child process hijacking, malicious code injection, memory process injection, and antivirus bypass.

    NirCmd is a free utility that performs simple tasks of managing the Windows system and peripherals from the command line.

    AT&T has documented attacks using SeroXen through phishing emails or Discord channels where cybercriminals distribute ZIP archives containing heavily obfuscated batch files. A couple of base64 encoded binaries are extracted from them and loaded into memory using .NET Reflection.

    The only file that affects the device's disk is a modified version of msconfig.exe, which is necessary for the execution of the malware and is temporarily stored in the "C:\Windows\System32" directory. Note the extra space after "Windows", which is deleted immediately after the program is installed. .

    Ultimately, a payload called "InstallStager.exe", a variant of the r77 rootkit, is deployed to the target device. It is stored in an obfuscated form in the Windows Registry and is later activated using PowerShell through the Task Scheduler, injecting itself into the "winlogon.exe" process.

    The rootkit integrates the SeroXen Trojan into the system's memory, making it invisible, but allowing the desired remote access to the device. Once launched, the Trojan establishes a connection with the C2 server and waits for further commands from the attackers.

    AT&T analysts also found that SeroXen uses the same TLS certificate as QuasarRAT and has most of the features of the original project, including TCP stream support, efficient network serialization, and QuickLZ compression.

    Researchers fear that the growing popularity of SeroXen will attract hackers interested in attacking large organizations rather than gamers, so the company released Indicators of Compromise (IoC) so that security professionals have time to prepare their enterprises.

    Author DeepWeb
    Sphynx - new ransomware weapon. Why is this virus so much more dangerous than the previous ones?
    SEC sues Coinbase as it continues its crackdown on crypto exchanges

    Comments 0

    Add comment