New XenoRAT Sample Targets Gamers Using Excel File
/ 3 min read
Quick take - Researchers have discovered a new sample of the XenoRAT remote access tool, delivered via an Excel XLL file that employs advanced evasion techniques, indicating a potential shift in its targeting strategy from individual users to enterprise networks.
Fast Facts
- A new sample of XenoRAT, titled “Payment_Details.xll,” targets gamers by disguising itself as legitimate software and is delivered via an Excel XLL file using the Excel-DNA framework.
- The XLL file is protected with ConfuserEx, indicating a shift in XenoRAT’s strategy towards targeting enterprise networks rather than individual users.
- The sample was found in a compressed file containing an obfuscated batch file and a decoy PDF designed to appear as part of a legitimate financial transaction.
- The XenoRAT payload, identified as “Original.exe,” connects to a hardcoded command-and-control server in Bulgaria, utilizing advanced obfuscation techniques to evade detection.
- The findings highlight the evolution of XenoRAT’s deployment tactics and the need for increased vigilance against malware using less common file extensions.
New Sample of XenoRAT Uncovered
Researchers have recently uncovered a new sample of XenoRAT, a remote access tool (RAT) known for targeting gamers by masquerading as legitimate software. This particular sample, titled “Payment_Details.xll,” was delivered using a unique method involving an Excel XLL file created with the Excel-DNA framework.
Deployment Strategy Shift
The XLL file was protected with ConfuserEx, a tool that enhances its evasion capabilities. This suggests a shift in XenoRAT’s deployment strategy from targeting individual users to potentially focusing on enterprise networks. The analyzed sample was found within a compressed file named “21102024_0022_18102024_Payment_Details.gz.zip,” which contained two items: “Payment_Details.xll” and “PlainText.txt.” The accompanying “PlainText.txt” included a generic message and disclaimer, likely intended to build trust with the target.
Malware Delivery Mechanism
The XLL file functions as a dropper for XenoRAT, as well as another remote access tool. The use of the Excel-DNA framework allows for the loading of compressed .NET assemblies into memory, making it a compelling method for malware delivery. Upon execution, the XLL file triggers several processes, starting with an obfuscated batch file named “cfgdf.bat.” This batch file subsequently initiates “zgouble.sfx.exe,” an SFX RAR archive that extracts its contents to the Temp directory.
Users are presented with a decoy PDF titled “Pago.pdf,” designed to appear as part of a legitimate financial transaction and containing faint headings related to payment information. The SFX archive is password-protected, adding an extra layer of security to its contents. Further analysis revealed another executable named “cvghfy.exe,” likely extracted from the SFX archive, which also displayed signs of obfuscation and packing, indicating efforts to evade detection.
Key Findings and Implications
Ultimately, the analysis identified “Original.exe” as the XenoRAT payload. The configuration of XenoRAT includes a hardcoded command-and-control (C2) server address. The identified C2 IP address is 87.120.116[.]115, which communicates over TCP port 1391 and is hosted in Bulgaria. The file’s metadata featured an unusual compilation timestamp of 10/22/2052, likely an attempt to evade detection. Additionally, a self-signed certificate was detected on RDP port 3389 around the same time as the file’s emergence.
While no additional servers linked to this campaign were identified, the provided indicators can assist in future monitoring efforts. The findings underscore a notable evolution in XenoRAT’s deployment tactics, particularly evident through the use of Excel XLL files and advanced obfuscation techniques. This highlights the adaptability of open-source malware and emphasizes the need for vigilance, including the monitoring and potential blocking of less common file extensions to mitigate associated risks.
Original Source: Read the Full Article Here
