Microsoft Threat Intelligence has identified a new threat involving trojanized gaming utilities, such as Xeno.exe and RobloxPlayerBeta.exe, which are being used to distribute a Windows remote access trojan (RAT). This malware campaign is targeting users by disguising itself as legitimate gaming tools.
Malware Distribution and Techniques
The initial phase of the attack involves the installation of a portable Java runtime and the execution of jd-gui.jar. The malware then leverages PowerShell and trusted Windows binaries, known as LOLBins, such as cmstp.exe, to download a payload named update.exe from domains like powercatdog and PythonAnywhere-hosted endpoints. This process ensures the malware can bypass traditional security measures.
Persistence and Defense Evasion
Once installed, the malware removes traces of the original downloader and adds exclusions in Microsoft Defender for its malicious files. It establishes persistence through scheduled tasks and a startup script called world.vbs. The final payload acts as a loader, runner, downloader, and remote access tool, granting attackers prolonged control over the infected system.
Security Recommendations
Microsoft Defender is capable of detecting this malware and its behavior patterns. However, organizations are advised to monitor outbound traffic, block the identified domains and IPs, and scrutinize or remove suspicious Defender exclusions, scheduled tasks, and startup scripts. Users are strongly cautioned against downloading or running unofficial game utilities shared in online chats or forums.
