SeroXen RAT - a Fileless Threat That Evades Detection

Security analysts are currently monitoring an emerging fileless remote access trojan (RAT) called SeroXen, designed to outsmart numerous EDR systems. SeroXen is actually a modified version of a legitimate remote administration tool known as Quasar, which has been utilized for several years but has also been misused by certain APT groups in the past. It has been circulating for a few months and is available for purchase on various platforms, including social media and hacking forums, for a monthly fee of $30.

Experts from AT&T Alien Labs have been diligently studying and assessing the SeroXen RAT, discovering that it currently manages to evade detection by all antimalware software on Virus Total. This is primarily due to its ability to remain undetectable when analyzed statically. The RAT is concealed within an obfuscated PowerShell batch file, typically ranging in size from 12-14 megabytes. The large file size often deters certain antivirus programs from conducting a thorough analysis, consequently bypassing detection mechanisms.

Although the specific sample mentioned has not triggered any detections on Virus Total, some crowdsourced Sigma Rules have identified its activities as suspicious. SeroXen poses a greater challenge for antivirus solutions as it is a fileless malware that operates solely in memory, employing multiple decryption and decompression routines. Moreover, its rootkit loads a fresh copy of ntdll.dll, making it even more difficult for Endpoint Detection & Response (EDR) systems, which rely on hooking into this library to detect process injections, to identify the presence of the RAT.

SeroXen Distribution Methods and Capabilities

Typically, attackers distribute the SeroXen RAT through phishing emails or Discord channels. The malware initiates the download of a seemingly harmless ZIP file, along with a hidden batch file that automatically executes. Following a series of intermediate steps, the final payload consists of two .NET arrays, one of which functions as a rootkit and possesses various capabilities, such as fileless persistence, in-memory process injection, EDR evasion, and function hooking.

Since SeroXen is based on QuasarRAT, the command and control (C&C) server employed by threat actors employs the same Common Name in their TLS certificate. The functionalities offered by the C&C server closely resemble those found in the Quasar Github repository, including support for TCP network streams (both IPv4 and IPv6), efficient network serialization, compression utilizing QuickLZ, and secure communication through TLS encryption, as stated by the researchers.