Xeno RAT Abuses Windows DLL Search To Avoid Detection

A new sophisticated malware, which is written in C# and has sophisticated functionalities, has been discovered.

This new malware has been named  Xeno RAT and is capable of evading detection, payload generation and to add the threat vector, it is also available as open-source on GitHub. 

Moreover, the malware uses process injection, obfuscation, anti-debugging, C2 communication, and several other techniques that make it even more complicated to detect it.

The primary threat vector of this malware is the use of a Shortcut file and multi-stage payload downloader.

Xeno RAT Abuses Windows DLL Search

According to the reports shared with Cyber Security News, this malware was initially delivered as a shortcut file (.lnk) which is named as “WhatsApp_2023-12-12_12-59-06-18264122612_DCIM.png.lnk”.

This LNK file acts as a downloader and uses the Windows Command Shell to download and execute the payload from a ZIP archive located at the Discord CDN URL.

First Stage Execution

The LNK file consists of obfuscated command-line arguments with two shortened URLs that download two files from the Discord CDN server.

One of the files is a non-malicious file, while the other is the payload ZIP archive. This ZIP is downloaded and extracted in the directory “C:UsersuserAppDataRoamingAdobeDrivers”.

This ZIP archive consists of three files two portable executable files with the extensions EXE and DLL, and the third file was an unknown file under the name LICENSE.

The EXE file was found under the name ADExplorer.exe, which is a Windows Sysinternals-provided active directory viewer and editor.

The DLL file (samcli.dll) is the malicious payload that mimics the name of the “Security Accounts Manager Client DLL”.

Though the DLL file is signed, the signature was not a verified one. The LICENSE file contains obfuscated text with read/write permissions.

Second Stage Execution

In this stage, the rest of the commands in the LNK file initiate the ADExplorer.exe file without any prompts.

This ADExplorer.exe uses the samcli.dll file for its functionalities and exploits the DLL search order functionality of the Windows OS by positioning a malicious DLL file with the same name on the Current Working Directory.

While this is being done, the samcli.dll is loaded in the ADExplorer.exe process. This ADExplorer.exe process creates a suspended process named “hh.exe” and performs process injection.

In addition, the ADExplorer.exe also creates two shortcut files in the current working directory named “Guide.lnk ” and “Support.url”. 

The URL file points to the Guide.lnk file, which performs the same functionality as the first downloaded LNK file. 

Third Stage Execution and Final Stage Execution

In the third stage, the hh.exe process creates another suspended process, “colorcpl.exe,” and performs another process injection.

This colorcpl.exe is terminated by hh.exe and then resumed under the “explorer.exe” process. At the Final stage, the colorcpl.exe checks if there are any installations of Xeno RAT on the victim machine.

If the malware is nowhere to be found, the process starts to communicate with the C2 domain internal-liveapps[.]online and resolves to the 45[.]61[.]139[.]51 IP. The communication between the C2 is obfuscated.

This Xeno RAT is capable of several functionalities such as monitoring, evading analysis, Hidden VNC, SOCKS5 proxy connection with the C2 server, persistence with Scheduled Tasks, process injection, network traffic obfuscation, command execution from C2, status updates, and many others.

Indicators Of Compromise

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.