Fully undetectable obfuscation malware (FUD) machine name. Bat Cloak used to spread various types of malware since September 2022, while continuing to evade antivirus detection.
The sample gives “threat actors the ability to load multiple malware families and exploit them easily via highly obfuscated batch files,” Trend Micro researchers said.
About 79.6% of the total 784 artifacts unearthed had no detection across all security solutions, the cybersecurity firm added, highlighting BatCloak’s ability to circumvent traditional detection mechanisms.
The BatCloak engine forms the core of a ready-to-use batch file generator tool called Jlaive, which comes with the ability to bypass the Antimalware Scan Interface (AMSI) as well as compress and encrypt the main payload to achieve higher security evasion.
The open source tool, although removed since being made available via GitHub and GitLab in September 2022 by a developer called ch2sh, has been advertised as “EXE to BAT crypter”. It has since been cloned and modified by other actors and ported to languages like Rust.
The final payload is encapsulated using three layers of loaders – C# loader, PowerShell loader, and batch loader – the latter serving as the starting point for decoding and disassembling each stage and finally detonating the hidden malware.
“The batch loader contains an obfuscated PowerShell loader and an encrypted C# stub binary,” say researchers Peter Girnus and Aliakbar Zahravi. “Ultimately, Jlaive used BatCloak as a file obfuscation engine to obfuscate the batch loader and store it on disk.”
BatCloak is said to have received many updates and adaptations since its appearance in the wild, its latest version being ScrubCrypt, which was first highlighted by Fortinet FortiGuard Labs in connection with a cryptojacking operation carried out by the 8220 Gang.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
“The decision to move from an open-source framework to a closed-source model, taken by the developers of ScrubCrypt, can be attributed to the achievements of previous projects such as Jlaive, as well as the desire to monetize the project and protect it against unauthorized replication,” the researchers said.
What’s more, ScrubCrypt is designed to be interoperable with various well-known malware families such as Amadey, AsyncRAT, DarkCrystal RAT, Pure Miner, Quasar RAT, RedLine Stealer, Remcos RAT, SmokeLoader, VenomRAT, and Warzone RAT.
“The evolution of the BatCloak underscores the flexibility and adaptability of this machine and highlights the development of a batch FUD obfuscator,” the researchers concluded. “This demonstrates the presence of these techniques in the modern threat landscape.”