GitHub上新崛起的Xeno RAT木马

jiangmingzi

THN 知机安全 2024-02-28 09:53 广东

An "intricately designed" remote access trojan (RAT) called Xeno RAT has been made available on GitHub, making it available to other actors at no extra cost.

一种名为Xeno RAT的"精心设计的"远程访问特洛伊木马（RAT）已经在GitHub上开放，使其可以无需额外费用提供给其他行为者。

Written in C# and compatible with Windows 10 and Windows 11 operating systems, the open-source RAT comes with a "comprehensive set of features for remote system management," according to its developer, who goes by the name moom825.

用C#编写，与Windows 10和Windows 11操作系统兼容的开源RAT具有"全面的远程系统管理功能集合"，根据其开发人员moom825的说法。

It includes a SOCKS5 reverse proxy and the ability to record real-time audio, as well as incorporate a hidden virtual network computing (hVNC) module along the lines of DarkVNC, which allows attackers to gain remote access to an infected computer.

它包括一个SOCKS5反向代理和录制实时音频的功能，以及一个类似DarkVNC的隐藏虚拟网络计算（hVNC）模块，允许攻击者远程访问被感染的计算机。

"Xeno RAT is developed entirely from scratch, ensuring a unique and tailored approach to remote access tools," the developer states in the project description. Another notable aspect is that it has a builder that enables the creation of bespoke variants of the malware.

开发人员在项目描述中表示:"Xeno RAT完全从头开始开发，确保对远程访问工具采用独特和定制的方法"。另一个值得注意的方面是它具有一个构建器，可以创建定制变种的恶意软件。

It's worth noting that the moom825 is also the developer of another C#-based RAT called DiscordRAT 2.0, which has been distributed by threat actors within a malicious npm package named node-hide-console-windows, as disclosed by ReversingLabs in October 2023.

值得一提的是，moom825还是另一种基于C#的名为DiscordRAT 2.0的RAT的开发人员，这个RAT已经通过恶意npm软件包node-hide-console-Windows的形式分发给威胁行为者，正如ReversingLabs在2023年10月披露的那样。

Cybersecurity firm Cyfirma, in a report published last week, said it observed Xeno RAT being disseminated via the Discord content delivery network (CDN), once again underscoring how a rise in affordable and freely available malware is driving an increase in campaigns utilizing RATs.

网络安全公司Cyfirma在上周发布的一份报告中表示，他们观察到Xeno RAT通过Discord内容传送网络（CDN）传播，再次强调了廉价且免费可用的恶意软件的增加正推动利用RAT的活动增加。

[color=rgba(0, 0, 0, 0.9)]

"The primary vector in the form of a shortcut file, disguised as a WhatsApp screenshot, acts as a downloader," the company said. "The downloader downloads the ZIP archive from Discord CDN, extracts, and executes the next stage payload."

"WhatsApp截图"的形式，作为下载器的主要载体，充当一个快捷方式文件，该公司表示。"下载器从Discord CDN下载ZIP存档文件，提取并执行下一个阶段的有效负载。"

The multi-stage sequence leverages a technique called DLL side-loading to launch a malicious DLL, while simultaneously taking steps to establish persistence and evade analysis and detection.

这个多阶段序列利用一种称为DLL侧加载的技术来启动恶意DLL，同时采取措施确立持久性并逃避分析和检测。

The development comes as the AhnLab Security Intelligence Center (ASEC) revealed the use of a Gh0st RAT variant called Nood RAT that's used in attacks targeting Linux systems, allowing adversaries to harvest sensitive information.

随着安天实验室安全情报中心（ASEC）披露使用一种名为Nood RAT的Gh0st RAT变种，该变种用于针对Linux系统的攻击，允许对手收集敏感信息的情况。

[color=rgba(0, 0, 0, 0.9)]

"Nood RAT is a backdoor malware that can receive commands from the C&C server to perform malicious activities such as downloading malicious files, stealing systems' internal files, and executing commands," ASEC said.

"Nood RAT是一种后门恶意软件，可以从C&C服务器接收命令执行恶意活动，例如下载恶意文件，窃取系统内部文件和执行命令，"ASEC表示。

"Although simple in form, it is equipped with the encryption feature to avoid network packet detection and can receive commands from threat actors to carry out multiple malicious activities."

"虽然形式简单，但它配备了加密功能以避免网络数据包检测，并可以从威胁行为者接收命令执行多个恶意活动。