Xeno-RAT

Hi, I found traffic from XenoRAT and propose to detect it based on the content of the first 117 byte packet plus 21 bytes packet in stream.

alert tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In";flow: established, to_server;content: "|7100 0000 00|";depth:5;content: !"|00|"; within:1;  content: "|1100 0000 00|";distance:112;within:5;content: !"|00|"; within:1;  threshold: type limit, track by_dst, seconds 30, count 1;classtype: command-and-control;reference: md5,cb0a4f14d441666ccb5d0b2f170a2d78;reference: url,app.any.run/tasks/e6be415f-589d-4491-a1cd-abf070510d31;metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major,malware_family Xeno-RAT,  created_at 2024_01_17; sid: 1; rev: 1;)

Also another rule with a trash hold for 20 keep-alive packets in 30 seconds

alert pkt-tcp any any -> any any (msg: "ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive";flow: established, to_server;dsize: 21; content: "|1100 0000 00|"; depth: 5;content: !"|00|"; within:1;threshold: type threshold, track by_dst, seconds 30, count 20;classtype: command-and-control;reference: md5, cb0a4f14d441666ccb5d0b2f170a2d78;reference: url,app.any.run/tasks/e6be415f-589d-4491-a1cd-abf070510d31;metadata: attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, signature_severity Major, malware_family Xeno-RAT,  created_at 2024_01_17; sid: 2; rev: 1;)

Best regards,
⋆♱✮♱⋆ Jane ⋆♱✮♱⋆

1 Like

Thanks @Jane0sint! We’ll get these in today’s release. I’ll let you know what the sids are when I have them. :tada:

2 Likes

@Jane0sint - Here are the sids for these

  2050110 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Check-In
  2050111 - ET MALWARE [ANY.RUN] Xeno-RAT TCP Keep-Alive
3 Likes

Thanks @ishaughnessy @Jane0sint !

1 Like

I apologize for the error in the rule 2050110 due to the wrong choice of protocol, please change

alert tcp-pkt → alert tcp

it. I’ll try to be more attentive, sorry Кланяющаяся женщина|20pxx20px

1 Like

no worries, this will be fixed in today’s release :+1:

1 Like