BatCloak: Unveiling the Prowess of the Undetectable Malware Obfuscator
Last week, research personnel from Trend Micro presented an elaborate discourse on an advanced malevolent software obfuscation engine, christened BatCloak. Since September of 2022, hackers have employed this entirely undetectable (FUD) obfuscation engine to deploy various malicious software, adeptly perpetuating their evasion of antivirus software detection.
Trend Micro conducted an extensive analysis of hundreds of batch samples procured from public repositories, revealing that a staggering 80% of these samples remained undetected in security solutions. This revelation underscored BatCloak’s prowess in evading conventional detection mechanisms employed by security service providers.
Investigators identified BatCloak as the crux of a batch file creation tool, named Jlaive, which has the capacity to circumnavigate Anti-Malware Scanning Interfaces (AMSI), and to compress and encrypt primary payloads for enhanced security evasion. Despite its removal by developer ch2sh, this open-source tool, initially disseminated via GitHub and GitLab in September 2022, continues to be replicated and modified by others, and ported to languages like Rust, under the moniker “EXE to BAT encryptor.”
The analysis report published by Trend Micro elucidated, “Once the primary payload has been compressed and encrypted, the crypter builds the first binary loader and places the user-encrypted payload, renamed payload.exe into the loader resource. The loader binary is generated based on a file called Stub.cs, a C# file located in the Resources folder.”
Since its initial introduction, BatCloak malware has been subjected to numerous updates and refinements, the latest of which has been termed ScrubCrypt, initially associated with the investigation of the cryptocurrency hijacking case by the 8220 Gang by Fortinet FortiGuard Labs. ScrubCrypt, according to the analysis, has been engineered to be compatible with several renowned malicious software families, such as Amadey, AsyncRAT, DarkCrystal RAT, Pure Miner, Quasar RAT, RedLine Stealer, Remcos RAT, SmokeLoader, VenomRAT, and Warzone RAT.
Researchers concluded that the evolution of BatCloak accentuates the flexibility and adaptability of the engine. Comprehending the constant metamorphosis of advanced malicious software technologies like FUD batch obfuscator BatCloak enables us to devise more efficacious strategies against these complex adversaries. These revelations highlight the exigency for enhanced methods of malicious software detection and prevention, such as advanced multilayered defense strategies and comprehensive security solutions.
