Gamers have been targeted by a dangerous and powerful malware strain that some researchers believe could be a stepping stone to attack corporate targets.
Cybersecurity researchers from AT&T recently discovered a remote access trojan (RAT) named “SeroXen” being advertised and sold on the dark web and in Discord channels.
SeroXen is built on several known malware, including Quasar RAT, r77 rootkit, and NirCmd. It is difficult to find and offers many dangerous uses.
Selling malware
“The developer of SeroXen found a formidable combination of free resources to develop a hard-to-detect static and dynamic RAT analysis,” AT&T said in its report.
“Using a detailed open-source RAT like Quasar, which has been around for a decade since its first appearance, creates a useful foundation for the RAT,” the company said, adding that “the combination of NirCMD and r77-rootkit are logical additions to the mix, as they make the tool more elusive and harder to detect.”
Quasar allows reverse proxy, remote shell, remote desktop, TLS communication, and file management, and can be obtained from GitHub. The r77 rootkit offers file-less persistence, child process hooking, malware embedding, in-memory process injection, and antivirus evasion, while NirCmd’s goal is to perform simple Windows system tasks, as well as peripheral management tasks.
Some threat actors have been observed advertising the tool as a legitimate remote access program for Windows 10 and Windows 11. They even charge for it – $15 a month, or $60 for a lifetime license. It remains unclear whether the website was built by SeroXen developers, or affiliates.
At the moment, most of the victims are gamers, but researchers fear that with the increase in popularity, the tool may be taken over by more ambitious actors who may target small or medium-sized businesses (SMBs) and corporate entities, both in the private and public sectors.
Via: Bleeping Computer
