Cybersecurity researchers have disclosed particulars of a multi-stage malware marketing campaign that makes use of batch scripts as a pathway to ship numerous encrypted distant entry trojan (RATs) payloads that correspond to XWorm, AsyncRAT, and Xeno RAT.
The stealthy assault chain has been codenamed VOID#GEIST by Securonix Menace Analysis.
At a excessive degree, the obfuscated batch script is used to deploy a second batch script, stage a official embedded Python runtime, and decrypt encrypted shellcode blobs, that are executed immediately in reminiscence by injecting them into separate situations of “explorer.exe” utilizing a method referred to as Early Chook Asynchronous Process Name (APC) injection.
“Modern malware campaigns increasingly shift from standalone executables toward complex, script-based delivery frameworks that closely mimic legitimate user activity,” researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee mentioned in a technical report shared with The Hacker Information.
“Rather than deploying traditional PE binaries, attackers leverage modular pipelines comprising batch scripts for orchestration, PowerShell for stealthy staging, legitimate embedded runtimes for portability, and raw shellcode executed directly in memory for persistence and control.”
This fileless execution mechanism minimizes disk-based detection alternatives, thereby permitting the menace actors to function inside compromised methods with out triggering safety alerts. What’s extra, the strategy affords an additional benefit in that these particular person phases seem innocent in isolation and resemble common administrative exercise.
The start line of the assault is a batch script that is fetched from a TryCloudflare area and distributed through phishing emails. As soon as launched, it intentionally avoids taking steps to escalate privileges and leverages the permission rights of the at present logged-in person to determine an preliminary foothold, whereas mixing into seemingly innocuous administrative operations.
The preliminary stage serves as a launchpad to show a decoy PDF by launching Google Chrome in full-screen. The displayed monetary doc or bill serves as a visible distraction to hide what’s taking place behind the scenes. This contains launching a PowerShell command to re-execute the unique batch script, comparable to utilizing the -WindowStyle Hidden parameter, to keep away from displaying a console window.
To make sure persistence throughout system reboots, an auxiliary batch script is positioned within the Home windows person’s Startup listing in order that it is routinely executed each time the sufferer logs in to the system. The absence of extra intrusive persistence strategies is intentional, because it reduces the forensic footprint.
“Technically, this persistence method operates entirely within the current user’s privilege context. It does not modify system-wide registry keys, create scheduled tasks, or install services,” the researchers mentioned. “Instead, it relies on standard user-level startup behavior, which requires no elevation and generates minimal security friction. This design choice reduces the likelihood of triggering privilege escalation prompts or registry-monitoring alerts.”
The subsequent part begins with the malware reaching out to a TryCloudflare area to fetch extra payloads within the type of ZIP archives that comprise a number of recordsdata –
- runn.py, a Python-based loader script liable for decrypting and injecting encrypted shellcode payload modules into reminiscence
- new.bin, an encrypted shellcode payload similar to XWorm
- xn.bin, an encrypted shellcode payload similar to Xeno RAT
- pul.bin, an encrypted shellcode payload similar to AsyncRAT
- a.json, n.json, and p.json, key recordsdata containing the decryption keys required by the Python loader to dynamically decrypt the shellcode at runtime
As soon as the recordsdata are extracted, the assault sequence deploys a official embedded Python runtime immediately from python[.]org. This step affords a number of benefits. For starters, it eliminates any dependency on the system. In consequence, the malware can proceed to function even when the contaminated endpoint does have Python put in.
“From the attacker’s perspective, the objectives of this stage are portability, reliability, and stealth,” Securonix mentioned. “By embedding a legitimate interpreter into the staging directory, the malware transforms itself into a fully self-contained execution environment capable of decrypting and injecting payload modules without relying on external system components.”
The principle purpose of the assault is to leverage the Python runtime to launch “runn.py,” which then decrypts and runs the XWorm payload utilizing Early Chook APC injection. The malware additionally makes use of a official Microsoft binary, “AppInstallerPythonRedirector.exe,” to invoke Python and launch Xeno RAT. Within the final stage, the Python loader makes use of the identical injection mechanism to launch AsyncRAT.
The an infection chain culminates with the malware transmitting a minimal HTTP beacon again to attacker-controlled C2 infrastructure hosted on TryCloudflare to verify the digital break-in. It is at present not identified who the targets of the assault had been, and if there have been any profitable compromises.
“This repeated injection pattern reinforces the modular architecture of the framework. Instead of delivering a single monolithic payload, the attacker deploys components incrementally, improving flexibility and resilience,” Securonix mentioned. “From a detection standpoint, repeated process injection into explorer.exe within short time windows is a strong behavioral indicator that correlates across stages of the attack.”
