In a recent disclosure, cybersecurity experts have detailed a sophisticated malware operation known as VOID#GEIST. This campaign employs batch scripts to deliver encrypted payloads of remote access trojans (RATs) such as XWorm, AsyncRAT, and Xeno RAT, marking a significant evolution in malware tactics.
Complex Attack Mechanism
VOID#GEIST employs a multi-layered strategy, starting with an obfuscated batch script. This script orchestrates the deployment of another batch script, establishes a legitimate embedded Python runtime, and decrypts shellcode, which is then injected into ‘explorer.exe’ using Early Bird Asynchronous Procedure Call (APC) injection. According to Securonix Threat Research, this approach mimics legitimate user activities, complicating detection.
The campaign shifts away from traditional executable files, opting instead for modular batch scripts and PowerShell commands. These methods enhance stealth and persistence, allowing operations to blend with regular administrative tasks. This fileless execution limits detection opportunities, enabling attackers to evade security systems effectively.
Initial Attack and Persistence
The attack begins with a batch script retrieved from a TryCloudflare domain, often distributed via phishing emails. This script capitalizes on the permissions of the current user without elevating privileges, ensuring the malware remains under the radar. It serves as a launchpad to display a decoy PDF using Google Chrome, distracting victims while executing malicious scripts in the background.
To maintain persistence, an auxiliary batch script is installed in the user’s Startup directory, running every time the system starts. This method avoids altering system-wide settings or creating noticeable alerts, thus reducing the risk of detection while maintaining a low forensic footprint.
Payload Deployment and Execution
Subsequent stages involve fetching additional payloads from TryCloudflare domains, delivered as ZIP files containing encrypted shellcode and decryption keys. The malware deploys a legitimate Python runtime, bypassing system dependencies and enhancing its stealth capabilities.
The primary objective is to execute the ‘runn.py’ script, which decrypts and activates the XWorm payload using the Early Bird APC injection method. The attack further utilizes ‘AppInstallerPythonRedirector.exe’ to launch Xeno RAT, while AsyncRAT is similarly deployed using scripted injections, maintaining its modular and adaptive architecture.
The operation concludes with a minimal HTTP beacon sent back to attacker-controlled infrastructure, confirming the breach. The identities of potential targets remain unknown, and the extent of successful infiltrations is yet to be determined.
Securonix highlights the modularity of this attack framework, where components are delivered in phases, enhancing both flexibility and resilience. The repeated process injections serve as behavioral indicators, offering clues to cybersecurity professionals for potential detection.
