In this report, we will take a look at a new malware threat that’s been discovered and discuss it’s implications for security. The world of cyber threats is always changing, so it’s important to know what they are and how to defend against them.
The malware is called SeroXen RAT (Remote Access Trojan). It was found in a campaign using the NuGet package manager. SeroXen RAT was made to give unauthorized access to systems with the hopes to steal data, compromise systems, and allow further malicious actions take place.
Upgrade and new threat vector:
The way this malware gets deployed is concerning. Attackers used a less-known method through the NuGet package manager. They exploited a feature called MSBuild integrations which let them use inline tasks. This was done in order to achieve code execution. What stands out about this deployment is that it’s the first known example of malware being posted on the NuGet repository that uses this method.
Indicators of Compromise (IOCs):
The following IOCs have been associated with ExelaStealer malware, and it should be monitored within network:
- sirketruhsatpdf.exe SHA256: f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048
- sirketruhsatpdf.exe SHA256: 95d860570b2777d7af213f9b48747d528251facada54842d7a07a5798fcbfe51
- BNG 824 ruhsat.pdf SHA256: 5aff2c5e65d8e4e7fa0b0c310fbaef1e1da351de34fa5f1b83bfe17eeabac7ef
- RuntimeBroker.exe SHA256: 34dca3c80cd5125091e6e4de02e86dcc6a2a6f9900e058111e457c9bce6117c0
- RuntimeBroker.exe SHA256: c56b23602949597352d99aff03411d620b7a5996da2cab91368de275dcfbaa44
The following IOCs have been identified in connection with the SeroXen RAT campaign:
These IOCs can be used to detect and mitigate threats related to the SeroXen RAT campaign.
- Discord webhook address: hXXps://discord[.]com/api/webhooks/1139506512302194789/X_VYZdAHscWQ NKWvya9KWqqqTK6UjVvS86_kUy8P8OyCcPhKykCQpEqf93S_qDFVuzp8
These IOCs can be valuable in threat detection and mitigation efforts.
The SeroXen RAT campaign demonstrates how persistent and adaptable threat actors are when it comes to looking for new ways to distribute malware. By being aware of this, organizations can better protect their assets by maintaining vigilance in software supply chain security and proactive threat detection. Just like this paper, staying informed and prepared is of utmost importance when it comes to effective cybersecurity.
This threat bulletin was researched and created by Arunagiri S, a SOC analyst at Positka