Trend Micro cautioned that the utilization of BatCloak, a tool designed to obfuscate batch files, has proven effective in enabling malicious BAT files to evade antivirus detection engines with an 80% success rate. The researchers uncovered hundreds of heavily obfuscated batch files used for the deployment of modified and fully undetectable (FUD) malware. These files utilize BatCloak for obfuscation.
Diving into details
- From an analysis of hundreds of batch samples obtained from a public repository, an astonishing 80% of the samples showed no detections by security solutions. This highlights the effectiveness of BatCloak in evading conventional detection methods used by security tools.
- Furthermore, when considering the entire sample set of 784, the average detection rate was less than one, underscoring the difficulty in identifying and mitigating threats associated with malware protected by BatCloak.
- Since 2022, the overwhelming majority of the collected samples have demonstrated the ability to consistently bypass antivirus detection. This allows threat actors to effortlessly load various malware families and exploits using extensively obfuscated batch files.
BatCloak related to ScrubCrypt?
ScrubCrypt is the latest version of the BatCloak engine, which represents a notable advancement in batch obfuscation techniques.
- The developers' transition from an open-source framework to a closed-source model is driven by the achievements of previous projects such Jlaive, as well as the aim to monetize the project and safeguard it against unauthorized replication.
- Apart from the malware’s FUD capabilities, the authors incorporate functionalities aimed at infiltrating host-based security measures, including UAC bypass, anti-debugging capabilities, AMSI bypass, and Event Tracing for Windows (ETW) bypass.
- ScrubCrypt was used by the 8220 gang, between January and February, to conduct a campaign targeting Oracle Weblogic Server vulnerabilities for cryptomining.
The bottom line
This ongoing research showcases the continuous evolution of the BatCloak engine, aiming to achieve compatibility with a wide range of malware families, thereby demonstrating its remarkable modularity. The progressive development of BatCloak emphasizes its versatility and adaptability, particularly in the realm of batch obfuscation. This serves as evidence of the prevalence of this technique in the contemporary threat landscape and the need for a better understanding of the threat actor tactics, techniques, and procedures to counter such intrusions.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/e570_Shutterstock_2051716070.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_483273430.jpg)
