Gamers are being targeted by a dangerous and potent malware strain that some researchers believe could be a stepping stone towards attacking corporate targets.
Cybersecurity researchers from AT&T recently discovered a remote access trojan (RAT) named “SeroXen” being advertised and sold on the dark web and in Discord channels.
SeroXen is built on a number of known malware, including Quasar RAT, r77 rootkit, and the NirCmd. It’s hard to detect and offers a number of dangerous functionalities.
“The SeroXen developer has found a formidable combination of free resources to develop a hard to detect in static and dynamic analysis RAT,” AT&T says in its report.
“The use of an elaborated open-source RAT like Quasar, with almost a decade since its first appearance, makes an advantageous foundation for the RAT,” the company says, further stating that “the combination of NirCMD and r77-rootkit are logical additions to the mix, since they make the tool more elusive and harder to detect.”
Quasar allows for reverse proxy, remote shell, remote desktop, TLS communication, and file management, and can be grabbed from GitHub. r77 rootkit offers file-less persistence, child process hooking, malware embedding, in-memory process injection, and antivirus evasion, while NirCmd’s goal is to do simple Windows system tasks, as well as peripheral management tasks.
Some threat actors were observed advertising the tool as a legitimate remote access program for Windows 10 and Windows 11. They’re even charging for it – $15 a month, or $60 for a lifetime license. It remains unclear if the website was built by SeroXen’s developers, or affiliates.
At the moment, most of the victims are gamers, but the researchers fear that with the growth of popularity, the tool might be picked up by more ambitious actors that could target small or medium-sized businesses (SMBs) and corporate entities, both in the private and public sectors.