Detection of malware is typically done using virus definitions or signatures in a database. Security products, such as antiviruses, will scan files using a virus database to detect if the files are good or bad. They detect files as good if they don’t match an entry in the database and consider files bad if they do match an entry. It works almost like an advanced blacklist.
Malware authors understand how security products work and build malware that these products cannot detect. In the underground, there is a term for this called Fully Undetectable (FUD). FUD is malware that authors guarantee antivirus products will not detect. More bad news, a (FUD) malware obfuscation engine named BatCloak has been used to deploy various malware strains since September 2022 while persistently evading antivirus detection. According to researchers, the samples grant "threat actors the ability to load numerous malware families and exploit with ease through highly obfuscated batch files. About 79.6% of the total 784 artifacts unearthed have no-detection across all security solutions, the cybersecurity investigators added, highlighting BatCloak's ability to circumvent traditional detection mechanisms.[1]
The BatCloak engine forms the crux of an off-the-shelf batch file builder tool called Jlaive, which comes with capabilities to bypass Antimalware Scan Interface (AMSI) as well as compress and encrypt the primary payload to achieve heightened security evasion. Although taken down since it was made available via GitHub and GitLab in September 2022 by a developer named ch2sh, the open-source tool has been advertised as an "EXE to BAT crypto." It has since been cloned and modified by other actors and ported to languages such as Rust.
The final payload is encapsulated using three loader layers a C# loader, a PowerShell loader, and a batch loader, the last of which acts as a starting point to decode and unpack each stage and ultimately detonate the concealed malware. The batch loader contains an obfuscated PowerShell loader and an encrypted C# stub binary," researchers Peter Girnus and Aliakbar Zahravi said. "In the end, Jlaive uses BatCloak as a file obfuscation engine to obfuscate the batch loader and save it on a disk."
BatCloak is said to have received numerous updates and adaptations since its emergence in the wild, its most recent version being ScrubCrypt in connection with a crypto-jacking operation mounted by the 8220 Gang. The 8220 Gang (also known as “8220 Mining Group,” derived from their use of port 8220 for command and control or C&C communications exchange) has been active since 2017. It continues to scan for vulnerable applications in cloud and container environments. Researchers have documented this group targeting Oracle WebLogic, Apache Log4j, Atlassian Confluence vulnerabilities, and misconfigured Docker containers to deploy cryptocurrency miners in Linux and Microsoft Windows hosts. The group was documented to have used Tsunami malware, XMRIG cryptominer, masscan, and spirit, among other tools, in their campaigns.
The decision to transition from an open-source framework to a closed-source model, taken by the developer of ScrubCrypt, can be attributed to the achievements of prior projects such as Jlaive and the desire to monetize the project and safeguard it against unauthorized replication. ScrubCrypt is designed to be interoperable with various well-known malware families like Amadey, AsyncRAT, DarkCrystal RAT, Pure Miner, Quasar RAT, RedLine Stealer, Remcos RAT, SmokeLoader, VenomRAT, and Warzone RAT.
The researchers concluded that the evolution of BatCloak underscores the flexibility and adaptability of this engine and highlights the development of FUD batch obfuscators. This showcases the presence of this technique across the modern threat landscape.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
[1] https://thehackernews.com/2023/06/cybercriminals-using-powerful-batcloak.html
Comments