Concrete signature match: Backdoor - Provides unauthorized remote access for .NET (Microsoft Intermediate Language) platform, family XenoRat
This detection identifies the XenoRat Remote Access Trojan (RAT), a backdoor that gives an attacker full remote control over the infected system. It can be used for data theft, surveillance, and executing arbitrary commands. The detection is based on a high-confidence machine learning model that identified behaviors specific to this malware family.
Relevant strings associated with this threat: - \xeno-rat\Plugins (PEHSTR_EXT)
rule Backdoor_MSIL_XenoRat_BSA_2147927609_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:MSIL/XenoRat.BSA!MTB"
threat_id = "2147927609"
type = "Backdoor"
platform = "MSIL: .NET intermediate language scripts"
family = "XenoRat"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "15"
strings_accuracy = "High"
strings:
$x_10_1 = "xeno rat client" ascii //weight: 10
$x_5_2 = {1b 30 06 00 84 0b 00 00 10 00 00 11 12 00 14 7d 04 00 00 04 14 0b 72 64 05 00 70 0c 08 18 28 32 00 00 0a 28 33 00 00 0a 16 28 34 00 00 0a 26 21 00 60 40 00 00 00 00 00 e0 0d 20 b7 50 00 00 13 04 11 04 8d} //weight: 5, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}60143ebe7e289b139850c52380249e45c0c2452a2c068af94580de3bf5c0608d5e84212896be25f411d5185406286fe5ee898afe757623a6acbf736c20c3e838Immediately isolate the affected machine from the network. Run a full antivirus scan to remove all malicious components. Investigate the initial access vector, check for persistence mechanisms, and reset all user credentials on the machine and associated network accounts.