Xeno RAT Technical Analysis

This blog post comes from the Xeno RAT Technical Analysis report. If you want to download it as a PDF click here

Executive Summary

Xeno RAT, an open-source remote access tool introduced this year, has rapidly gained popularity in the cybersecurity community. Its ongoing development aims to compete with commercial RATs by providing a wide range of features at no cost. The user-friendly builder tool enables easy creation of client files, facilitating deployment across various campaigns.

In terms of functionality, Xeno RAT offers a comprehensive suite of tools for remote system management. It includes capabilities such as reverse proxy, detailed process, file, and registry management, catering to diverse user needs. The shell interface allows for convenient interaction, while the InfoGrab feature excels at extracting sensitive data like cookies, passwords, and credit card information, making it a valuable asset for cyber adversaries.

Furthermore, Xeno RAT emphasizes persistence, enabling attackers to establish a foothold on compromised systems through startup file creation. Its advanced bypass techniques for User Account Control (UAC) and Windows directory restrictions enhance its ability to evade system defenses and maintain access over time.

File Identification

MITRE ATTA&CK Threat Matrix

• TA002 Execution
  • T1204 User Execution
    • T1204.002 Malicious File
  • T1047 Windows Management Instrumentation
  • T1053 Scheduled Task/Job
    • T1053.005 Scheduled Task
• TA003 Persistence
  • T1547 Boot or Logon Autostart Execution
    • T1547.001 Registry Run Keys / Startup Folder
• TA005 Defense Evasion
  • T1140 Deobfuscate/Decode Files or Information
  • T1112 Modify Registry
• TA006 Credential Access
  • T1555 Credentials from Password Stores
    • T1555.003 Credentials from Web Browsers
  • T1539 Steal Web Session Cookie
• TA007 Discovery
  • T1012 Query Registry
  • T1033 System Owner/User Discovery
  • T1057 Process Discovery
  • T1082 System Information Discovery
  • T1083 File and Directory Discovery
  • T1087 Account Discovery
  • T1518 Software Discovery
    • T1518.001 Security Software Discovery
• TA007 Collection
  • T1056 Input Capture
• TA0040 Impact
  • T1529 System Shutdown/Reboot

Conclusion

Mitigation Strategies

Here are some general mitigation recommendations to protect against Xeno RAT:

• Monitor the existence of files in the directory %APPDATA%\Adobe\Drivers to detect any suspicious activities or files associated with Xeno RAT.
• Regularly inspect the contents of scheduled tasks on the system to identify any malicious tasks created by Xeno RAT or unauthorized tasks that could potentially be leveraged for malicious purposes.
• Exercise caution when encountering files that appear to be PNG images but are actually .lnk files. These files can run commands and download malicious files. They may be obfuscated or disguised to evade detection. Implement measures to identify and analyze such files for potential threats associated with Xeno RAT.

Implementing these recommendations can help minimize the risk of Xeno RAT and protect your organization from potential damage.

This blog post comes from the Xeno RAT Technical Analysis report. If you want to download it as a PDF click here