Multiple batch scripts have been weaponized to facilitate the delivery of the XWorm, AsyncRAT, and Xeno RAT payloads as part of the new multi-stage VOID#GEIST malware attack campaign, The Hacker News reports.Intrusions commence with the distribution of phishing emails that enable the retrieval of a batch script from a TryCloudflare domain, according to an analysis from Securonix Threat Research. Such a batch script then uses the logged-in user's permission rights for initial access, when a decoy financial document is displayed, while a PowerShell command is launched to repeat the execution of the original batch script.After ensuring persistence, VOID#GEIST communicates with a TryCloudflare domain to retrieve more payloads as ZIP archives with files that trigger an attack sequence upon extraction, with the Python runtime used to launch the "runn.py" payload to decrypt and execute XWorm. Subsequent exploitation of the "AppInstallerPythonRedirector.exe" binary facilitates the deployment of the Xeno RAT, while the same injection technique is leveraged by the Python loader to eventually inject AsyncRAT."This repeated injection pattern reinforces the modular architecture of the framework. Instead of delivering a single monolithic payload, the attacker deploys components incrementally, improving flexibility and resilience," researchers said.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds