Both a North Korean hacking group and other unidentified actors have targeted gamers using XenoRAT, malware that poses as a Roblox scripting tool on GitHub. The RAT was distributed through .gg domains, commonly associated with esports, and a GitHub repository.Â
Security researchers have observed XenoRAT being delivered via Dropbox and found on servers potentially linked to the Kimsuky threat group, as the malware boasts features like real-time audio surveillance and a SOCKS5 proxy.Â
Xeno RAT utilizes TCP sockets for communication between infected devices (clients) and the attacker’s control server (controller). The initial handshake between these components follows a specific pattern, allowing for the detection of malicious activity on a network.
Even beyond the initial connection, the controller’s response format remains consistent, providing another avenue for identifying compromised systems, which can be valuable for crafting network intrusion detection system (IDS) rules to effectively block Xeno RAT.
XenoRAT malware control servers (C2s) are hosted on .gg domains, a top-level domain (TLD) popular in the esports community, which highlights a concerning trend of malware abusing legitimate domains to spread under the radar.
The analysis revealed multiple .gg domains resolving to three shared IP addresses associated with Developed Methods LLC in the U.S. Interestingly, one of the IPs (147.185.221_19) also hosted infrastructure for other malware like DcRAT, VenomRAT, and Redline Stealer, indicating potential shared infrastructure among different malware actors.
An investigation into malicious files communicating with suspicious domains revealed a compressed file named “SynapseX.revamped.V1.2.rar” on a GitHub repository disguised as a Roblox scripting engine.
This archive contained two executables – “Synapse X Launcher.exe.exe” (identified as XenoRAT) and “Synapse X Launcher.exe” (identified as Quasar malware).
The C2 server for Quasar used portmap.io, a free port forwarding service, with a domain name resembling a popular YouTube animated series, where malicious actors hid malware within a fake Roblox scripting repository on GitHub.
Hunt researchers identified a malicious repository containing a file (XMainDab/Loader.exe) flagged as XWorm malware by GitHub user ByfronTechnologies two weeks prior. The file and folder names in the repository led to a YouTube channel (P-Denny Gaming) featuring Roblox related videos with titles similar to those found in the GitHub repository.Â
One video instructed users to disable Windows Defender before installing a file (Synapse X RAR) and showed a Swedish-language desktop with a “Roblox Stealer” bookmark, further indicating the actor’s malicious intent.Â
The video also had comments vouching for the legitimacy of the files, despite warnings from others, and malicious software (XenoRAT) on gaming-related domains (.gg) and code-sharing platforms (GitHub) threatens gamers and developers.
Open-source platforms like GitHub exacerbate the issue, as malware can be spread through seemingly harmless game scripts or executors.