Cybersecurity researchers have detailed a multi-stage malware campaign that uses batch scripts as a conduit to deliver various encrypted remote access Trojan (RAT) payloads for XWorm, AsyncRAT, and Xeno RAT.
This stealth attack chain has been codenamed VOID#GEIST by Securonix Threat Research.
At a high level, the obfuscated batch script is used to deploy a second batch script, stage a legitimate embedded Python runtime, and decrypt encrypted shellcode blobs. The encrypted shellcode blob is executed directly in memory by injecting it into a separate instance of ‘explorer.exe’ using a technique called Early Bird Asynchronous Procedure Call (APC) injection.
“Modern malware campaigns are increasingly moving away from standalone executable files to complex script-based delivery frameworks that closely mimic legitimate user activity,” researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardsley said in a technical report shared with Hacker News.
“Rather than deploying traditional PE binaries, attackers leverage a modular pipeline consisting of batch scripts for orchestration, PowerShell for stealth staging, a legitimate built-in runtime for portability, and raw shellcode executed directly in memory for persistence and control.”
This fileless execution mechanism minimizes the opportunity for disk-based detection, allowing attackers to operate within a compromised system without triggering security alerts. Moreover, this approach has the added benefit that these individual steps appear innocuous on their own and resemble normal management activities.
The starting point of the attack is a batch script retrieved from the TryCloudflare domain and distributed via phishing emails. Once launched, it blends into seemingly innocuous administrative operations, intentionally bypassing privilege escalation steps and leveraging the privileges of the currently logged in user to establish an initial foothold.
The initial stage serves as a launchpad to launch Google Chrome in full screen and display a decoy PDF. Displayed financial documents and invoices act as visual distractions to hide what’s happening behind the scenes. This involves invoking a PowerShell command to rerun the original batch script, including using the -WindowStyle Hidden parameter to avoid displaying the console window.
To ensure persistence across system reboots, an auxiliary batch script is placed in the Windows user’s startup directory and automatically runs each time the victim logs into the system. The absence of more intrusive persistence methods is intentional as it reduces the forensic footprint.
“Technically, this persistence method operates entirely within the privileged context of the current user; it does not modify system-wide registry keys, create scheduled tasks, or install services,” the researchers said. “Instead, it relies on standard user-level startup behavior, which requires no elevation and minimizes security friction. This design choice is less likely to trigger privilege elevation prompts or registry monitoring alerts.”
The next phase begins with the malware accessing the TryCloudflare domain to retrieve an additional payload in the form of a ZIP archive containing multiple files.
runn.py, a Python-based loader script responsible for decrypting the encrypted shellcode payload module and injecting it into memory new.bin, an encrypted shellcode payload for XWorm xn.bin, an encrypted shellcode payload for Xeno RAT pul.bin, an encrypted shellcode payload for AsyncRAT a.json, n.json, and p.json, a Python loader for dynamically decoding shellcode at runtime
Once the files are extracted, the attack sequence deploys the legitimate built-in Python runtime directly from Python.[.]organization. This step has several advantages. First of all, system dependencies are eliminated. As a result, the malware may continue to run even if Python is installed on the infected endpoint.
“From an attacker’s perspective, the purpose of this stage is portability, reliability, and stealth,” Securonix said. “By embedding a legitimate interpreter into a staging directory, the malware transforms it into a completely self-contained execution environment that can decrypt and inject payload modules without relying on external system components.”
The main goal of this attack is to leverage the Python runtime to launch ‘runn.py’ and use Early Bird APC injection to decrypt and execute the XWorm payload. The malware also leverages a legitimate Microsoft binary, AppInstallerPythonRedirector.exe, to call Python and launch the Xeno RAT. In the final stage, the Python loader uses the same injection mechanism to launch AsyncRAT.
The infection chain culminates with the malware sending a minimal HTTP beacon to the attacker-controlled C2 infrastructure hosted on TryCloudflare to confirm the digital intrusion. At this time, it is unclear who the target of the attack was or whether the breach was successful.
“This repeated injection pattern strengthens the framework’s modular architecture. Instead of delivering a single monolithic payload, attackers deploy components in stages, increasing flexibility and resiliency,” Securonix said. “From a detection perspective, repeated process injections into explorer.exe within a short time frame are strong behavioral indicators of correlation across each stage of the attack.”
Source link
