Open-Source Malware: The Xeno RAT Threat Exposed

A new advanced Remote Access Tool (RAT) named Xeno RAT has been published on GitHub. This Trojan, crafted in the C# programming language and compatible with Windows 10 and Windows 11 operating systems, offers “a comprehensive suite of features for remote system management,” according to statements by the developer, who operates under the pseudonym moom825.

Xeno RAT’s capabilities include a reverse SOCKS5 proxy server, the ability to record audio in real time, and the integration of a Hidden Virtual Network Computing (hVNC) module akin to DarkVNC. This module permits malefactors to gain remote access to an infected computer.

The developer also highlighted the tool’s “entertaining” features, such as the ability to induce a “Blue Screen of Death” on demand, disable the monitor of the remote host, and open/close the compact disc tray, among others.

Despite the developer’s claim that Xeno RAT was created solely for educational purposes, it is widely understood who will employ this malware and for what nefarious purposes.

Xeno RAT was developed from the ground up, ensuring a “unique and customized approach to remote access tools.” The developer also notes the presence of a builder, allowing for the creation of specialized versions of the tool.

Notably, moom825 is also the creator of another C#-based remote access Trojan named DiscordRAT 2.0, which had previously been disseminated by malefactors through a malicious npm package named “node-hide-console-windows.”

Cybersecurity firm Cyfirma, in its report published last week, reported observing the dissemination of Xeno RAT via the Discord content delivery network. The primary attack vector employed by malefactors involved a shortcut file masquerading as a WhatsApp screenshot, which downloaded a ZIP archive from Discord servers, extracted its contents, and executed the malicious software’s next stage.

This multi-stage attack sequence employs the DLL Sideloading technique to launch a malicious DLL library while taking steps to ensure persistence in the system and evasion from analysis and detection.

Cyfirma’s investigation once again underscores how the proliferation of malicious software contributes to an increase in malicious campaigns leveraging it.

To mitigate the risks associated with the malicious Xeno RAT software, users are advised to exercise caution when opening files from unreliable sources or clicking on unfamiliar links, particularly those offering dubious software or content.

Furthermore, implementing robust cybersecurity measures, including the use of quality antivirus software, ensuring regular software updates, and being vigilant about social engineering tactics, can significantly enhance protection against such threats.