Xeno-RAT

Jane0sint · January 17, 2024, 1:22pm

Hi, I found traffic from XenoRAT and propose to detect it based on the content of the first 117 byte packet plus 21 bytes packet in stream.

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In";flow: established, to_server;content: "|7100 0000 00|";depth:5;content: !"|00|"; within:1;  content: "|1100 0000 00|";distance:112;within:5;content: !"|00|"; within:1;  threshold: type limit, track by_dst, seconds 30, count 1;classtype: command-and-control;reference: md5,cb0a4f14d441666ccb5d0b2f170a2d78;reference: url,app.any.run/tasks/e6be415f-589d-4491-a1cd-abf070510d31;metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major,malware_family Xeno-RAT,  created_at 2024_01_17; sid: 1; rev: 1;)

Also another rule with a trash hold for 20 keep-alive packets in 30 seconds

alert pkt-tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive";flow: established, to_server;dsize: 21; content: "|1100 0000 00|"; depth: 5;content: !"|00|"; within:1;threshold: type threshold, track by_dst, seconds 30, count 20;classtype: command-and-control;reference: md5, cb0a4f14d441666ccb5d0b2f170a2d78;reference: url,app.any.run/tasks/e6be415f-589d-4491-a1cd-abf070510d31;metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family Xeno-RAT,  created_at 2024_01_17; sid: 2; rev: 1;)

Best regards,
⋆♱✮♱⋆ Jane ⋆♱✮♱⋆

ishaughnessy · January 17, 2024, 4:37pm

Thanks @Jane0sint! We’ll get these in today’s release. I’ll let you know what the sids are when I have them.

ishaughnessy · January 17, 2024, 9:54pm

@Jane0sint - Here are the sids for these

  2050110 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In
  2050111 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive

rgonzalez · January 17, 2024, 10:03pm

Thanks @ishaughnessy @Jane0sint !

Jane0sint · January 18, 2024, 7:12am

I apologize for the error in the rule 2050110 due to the wrong choice of protocol, please change

alert tcp-pkt → alert tcp

it. I’ll try to be more attentive, sorry Кланяющаяся женщина|20pxx20px

ishaughnessy · January 18, 2024, 3:56pm

no worries, this will be fixed in today’s release

Jane0sint · March 11, 2024, 4:22pm

Hi, I have an update to the rules due to the fact that I came across a sample with a slight modification. By the way, the developer himself tweeted me asking me to explain how detection works.

alert tcp  $EXTERNAL_NET  any -> $HOME_NET any (
msg:"ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In Server Response";
flow:established,to_client; 
content:"|71 00 00 00 00|"; startswith; fast_pattern; 
content:!"|00|"; within:1; 
content:"|11 00 00 00|"; distance:112; within:5; 
content:!"|00|"; distance: 1; within:1;
threshold:type limit, track by_dst,seconds 30,count 1;
reference:md5,cb0a4f14d441666ccb5d0b2f170a2d78;
reference:url,app.any.run/tasks/e6be415f-589d-4491-a1cd-abf070510d31;
reference:url,github.com/moom825/xeno-rat;
reference:url,community.emergingthreats.net/t/xeno-rat/1290; 
classtype:command-and-control;
sid:2050110; rev:2; 
metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2024_01_17, deployment Perimeter, former_category MALWARE, malware_family XenoRat, confidence Medium, signature_severity Critical, updated_at 2024_01_18;)

alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive";
flow:established,to_server; 
dsize:21;
content:"|11 00 00 00|";depth: 4; fast_pattern;
content: !"|00|"; distance: 1; within:1;
byte_test: 1, <, 5, 0, relative; 
threshold:type threshold,track by_dst,seconds 30,count 20;
reference:md5,cb0a4f14d441666ccb5d0b2f170a2d78;
reference:url,app.any.run/tasks/e6be415f-589d-4491-a1cd-abf070510d31;
reference:url,github.com/moom825/xeno-rat;
reference:url,community.emergingthreats.net/t/xeno-rat/1290; 
classtype:command-and-control;
sid:2050111; rev:1;
metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2024_01_17, deployment Perimeter, former_category MALWARE, malware_family XenoRat, confidence Medium, signature_severity Critical, updated_at 2024_01_17;)

•̩̩͙˚⁺‧͙⁺˚•̩̩͙✩•̩̩͙*˚⁺‧͙
Jane

ishaughnessy · March 11, 2024, 4:37pm

heya @Jane0sint !

I’ll get these updates out today!

This is hilarious ^

Isaac

michaelfschem · March 12, 2024, 5:58pm

Getting multiple false positives with this signature when users are trying to connect to local development mysql servers.

Jane0sint · March 12, 2024, 6:32pm

Please specify which of the two? Thank you! A little more detail wouldn’t hurt, is this port 3306? Accessing a local server from an external network?

michaelfschem · March 12, 2024, 9:48pm

Looks like sid 2050111. It’s not port 3306, our dev sql test servers spin up mysql instances for testing on random high ports. The traffic is internal to internal. Interestingly enough, the sig does not fire for our postgres instances on the same server.

Jane0sint · March 13, 2024, 5:01am

I think we can turn it off without losing coverage. Also non-standard is the fact that some of your internal addresses are in the $external_net variable. Thank You again!

ishaughnessy · March 13, 2024, 4:25pm

thanks @Jane0sint - I’ll disable in today’s release

thanks for the FP report @michaelfschem !

Topic		Replies	Views
DarkCrystal RAT Rule Signatures	13	839	January 2, 2024
DynamicRAT Rule Signatures	2	545	June 10, 2023
WhiteSnake Rule Signatures	4	311	June 17, 2024
RadX RAT Rule Signatures	2	273	January 24, 2024
ZharkBOT Rule Signatures	2	299	January 22, 2024

Xeno-RAT

Related topics