VOID#GEIST Malware Campaign Utilizes Trio of RATs for Sophisticated Attacks

Post Views: 6

VOID#GEIST Malware Campaign: A Trio of Remote Access Trojans

A newly discovered malware campaign, dubbed VOID#GEIST, has been identified as utilizing a trio of remote access trojans (RATs) to compromise targeted systems.

Initial Access and Persistence

The campaign begins with the distribution of phishing emails, which enable the retrieval of a malicious batch script from a domain hosted on TryCloudflare. Upon execution, the batch script leverages the logged-in user’s permission rights to establish initial access.

A decoy financial document is displayed, while a PowerShell command is launched to ensure persistence by re-executing the original batch script.

The malware then communicates with the TryCloudflare domain to retrieve additional payloads in the form of ZIP archives. These archives contain files that trigger an attack sequence upon extraction, utilizing the Python runtime to launch the “runn.py” payload.

Modular Architecture and Payload Deployment

This payload is responsible for decrypting and executing the XWorm RAT. Subsequent exploitation involves the deployment of the Xeno RAT via the “AppInstallerPythonRedirector.exe” binary, using the same injection technique employed by the Python loader.

Researchers note that the VOID#GEIST campaign’s modular architecture is reinforced by its repeated injection pattern. Rather than delivering a single monolithic payload, the attackers deploy components incrementally, thereby improving flexibility and resilience.

This approach enables the campaign to adapt to changing environments and evade detection.

Implications and Recommendations

The VOID#GEIST campaign’s use of multiple RATs, including XWorm, AsyncRAT, and Xeno RAT, highlights the attackers’ ability to diversify their toolkit and maintain persistence within compromised systems.

The campaign’s reliance on phishing emails and malicious batch scripts underscores the importance of robust email security and user education in preventing initial access.

The deployment of the VOID#GEIST malware campaign serves as a reminder of the evolving threat landscape and the need for organizations to remain vigilant in their cybersecurity efforts.

By understanding the tactics, techniques, and procedures (TTPs) employed by attackers, defenders can better equip themselves to detect and respond to emerging threats.