Feb 27, 2024The Hacker NewsMalware / Network Security

An “intricately designed” remote access trojan (RAT) called Xeno RAT has been made available on GitHub, making it available to other actors at no extra cost.

Written in C# and compatible with Windows 10 and Windows 11 operating systems, the open-source RAT comes with a “comprehensive set of features for remote system management,” according to its developer, who goes by the name moom825.

It includes a SOCKS5 reverse proxy and the ability to record real-time audio, as well as incorporate a hidden virtual network computing (hVNC) module along the lines of DarkVNC, which allows attackers to gain remote access to an infected computer.

“Xeno RAT is developed entirely from scratch, ensuring a unique and tailored approach to remote access tools,” the developer states in the project description. Another notable aspect is that it has a builder that enables the creation of bespoke variants of the malware.

It’s worth noting that the moom825 is also the developer of another C#-based RAT called DiscordRAT 2.0, which has been distributed by threat actors within a malicious npm package named node-hide-console-windows, as disclosed by ReversingLabs in October 2023.

Cybersecurity firm Cyfirma, in a report published last week, said it observed Xeno RAT being disseminated via the Discord content delivery network (CDN), once again underscoring how a rise in affordable and freely available malware is driving an increase in campaigns utilizing RATs.

“The primary vector in the form of a shortcut file, disguised as a WhatsApp screenshot, acts as a downloader,” the company said. “The downloader downloads the ZIP archive from Discord CDN, extracts, and executes the next stage payload.”

The multi-stage sequence leverages a technique called DLL side-loading to launch a malicious DLL, while simultaneously taking steps to establish persistence and evade analysis and detection.

The development comes as the AhnLab Security Intelligence Center (ASEC) revealed the use of a Gh0st RAT variant called Nood RAT that’s used in attacks targeting Linux systems, allowing adversaries to harvest sensitive information.

“Nood RAT is a backdoor malware that can receive commands from the C&C server to perform malicious activities such as downloading malicious files, stealing systems’ internal files, and executing commands,” ASEC said.

“Although simple in form, it is equipped with the encryption feature to avoid network packet detection and can receive commands from threat actors to carry out multiple malicious activities.”

Feb 01, 2024NewsroomNetwork Security / Malware

Google-owned Mandiant said it identified new malware employed by a China-nexus espionage threat actor known as UNC5221 and other threat groups during post-exploitation activity targeting Ivanti Connect Secure VPN and Policy Secure devices.

This includes custom web shells such as BUSHWALK, CHAINLINE, FRAMESTING, and a variant of LIGHTWIRE.

“CHAINLINE is a Python web shell backdoor that is embedded in a Ivanti Connect Secure Python package that enables arbitrary command execution,” the company said, attributing it to UNC5221, adding it also detected multiple new versions of WARPWIRE, a JavaScript-based credential stealer.

The infection chains entail a successful exploitation of CVE-2023-46805 and CVE-2024-21887, which allow an unauthenticated threat actor to execute arbitrary commands on the Ivanti appliance with elevated privileges.

The flaws have been abused as zero-days since early December 2023. Germany’s Federal Office for Information Security (BSI) said it’s aware of “multiple compromised systems” in the country.

BUSHWALK, written in Perl and deployed by circumventing the Ivanti-issued mitigations in highly-targeted attacks, is embedded into a legitimate Connect Secure file named “querymanifest.cgi” and offers the ability to read or write to files to a server.

On the other hand, FRAMESTING is a Python web shell embedded in an Ivanti Connect Secure Python package (located in the following path “/home/venv3/lib/python3.6/site-packages/cav-0.1-py3.6.egg/cav/api/resources/category.py”) that enables arbitrary command execution.

Mandiant’s analysis of the ZIPLINE passive backdoor has also uncovered its use of “extensive functionality to ensure the authentication of its custom protocol used to establish command-and-control (C2).”

Furthermore, the attacks are characterized by the use of open-source utilities like Impacket, CrackMapExec, iodine, and Enum4linux to support post-exploitation activity on Ivanti CS appliances, including network reconnaissance, lateral movement, and data exfiltration within victim environments.

Ivanti has since disclosed two more security flaws, CVE-2024-21888 and CVE-2024-21893, the latter of which has come under active exploitation targeting a “limited number of customers.” The company has also released the first round of fixes to address the four vulnerabilities.

UNC5221 is said to target a wide range of industries that are of strategic interest to China, with its infrastructure and tooling overlapping with past intrusions linked to China-based espionage actors.

“Linux-based tools identified in incident response investigations use code from multiple Chinese-language Github repositories,” Mandiant said. “UNC5221 has largely leveraged TTPs associated with zero-day exploitation of edge infrastructure by suspected PRC nexus actors.”

The developers of the information stealer malware known as Rhadamanthys are actively iterating on its features, broadening its information-gathering capabilities and also incorporating a plugin system to make it more customizable.

This approach not only transforms it into a threat capable of delivering “specific distributor needs,” but also makes it more potent, Check Point said in a technical deep dive published last week.

Rhadamanthys, first documented by ThreatMon in October 2022, has been sold under the malware-as-a-service (MaaS) model as early as September 2022 by an actor under the alias “kingcrete2022.”

Typically distributed through malicious websites mirroring those of genuine software that are advertised through Google ads, the malware is capable of harvesting a wide range of sensitive information from compromised hosts, including from web browsers, crypto wallets, email clients, VPN, and instant messaging apps.

“Rhadamanthys represents a step in the emerging tradition of malware that tries to do as much as possible, and also a demonstration that in the malware business, having a strong brand is everything,” the Israeli cybersecurity firm noted in March 2022.

A subsequent investigation into the off-the-shelf malware in August revealed “design and implementation” overlap with that of the Hidden Bee coin miner.

“The similarity is apparent at many levels: custom executable formats, the use of similar virtual filesystems, identical paths to some of the components, reused functions, similar use of steganography, use of LUA scripts, and overall analogous design,” the researchers said, describing the malware’s development as “fast-paced and ongoing.”

As of writing, the current working version of Rhadamanthys is 0.5.2, per the description on the threat actor’s Telegram channel.

Check Point’s analysis of versions 0.5.0 and 0.5.1 reveals a new plugin system that effectively makes it more of a Swiss Army knife, indicating a shift towards modularization and customization. This also allows the stealer customers to deploy additional tools tailored to their targets.

The stealer components are both active, capable of opening processes and injecting additional payloads designed to facilitate information theft, and passive, which are designed to search and parse specific files to retrieve saved credentials.

Another noticeable aspect is the use of a Lua script runner that can load up to 100 Lua scripts to pilfer as much information as possible from cryptocurrency wallets, email agents, FTP services, note-taking apps, instant messengers, VPNs, two-factor authentication apps, and password managers.

Version 0.5.1 goes a step further, adding clipper functionality to alter clipboard data matching wallet addresses to divert cryptocurrency payments to an attacker-controlled wallet as well as an option to recover Google Account cookies, following the footsteps of Lumma Stealer.

“The author keeps enriching the set of available features, trying to make it not only a stealer but a multipurpose bot, by enabling it to load multiple extensions created by a distributor,” security researcher Aleksandra “Hasherezade” Doniec said.

“The added features, such as a keylogger, and collecting information about the system, are also a step towards making it a general-purpose spyware.”

AsyncRAT’s Code Injection into aspnet_compiler.exe

The findings come as Trend Micro detailed new AsyncRAT infection chains that leverage a legitimate Microsoft process called aspnet_compiler.exe, which is used for precompiling ASP.NET web applications, to stealthily deploy the remote access trojan (RAT) via phishing attacks.

Similar to how Rhadamanthys carries out code injection into running processes, the multi-stage process culminates in the AsyncRAT payload being injected into a newly spawned aspnet_compiler.exe process to ultimately establish contact with a command-and-control (C2) server.

“The AsyncRAT backdoor has other capabilities depending on the embedded configuration,” security researchers Buddy Tancio, Fe Cureg, and Maria Emreen Viray said. “This includes anti-debugging and analysis checks, persistence installation, and keylogging.”

It’s also designed to scan particular folders within the application directory, browser extensions, and user data to check for the presence of crypto wallets. On top of that, the threat actors have been observed relying on Dynamic DNS (DDNS) to deliberately obfuscate their activities.

“The use of dynamic host servers allows threat actors to seamlessly update their IP addresses, strengthening their ability to remain undetected within the system,” the researchers said.