A new malware obfuscation engine called BatCloak just got discovered after remaining fully undetectable for a period. It has enabled threat actors to deploy different types of malware while avoiding detection by antivirus systems.
Researchers from Trend Micro have found that 79.6% of the 784 artefacts analyzed were not detected by any security solutions, indicating BatCloak’s effectiveness in evading traditional detection methods.
BatCloak is a critical component of a batch file builder tool called Jlaive, previously available on GitHub and GitLab. Jlaive offers features such as bypassing the Antimalware Scan Interface (AMSI), compressing, and encrypting the primary payload to enhance security evasion. Other threat actors have cloned and modified Jlaive, porting it to languages like Rust.
The final payload created by BatCloak consists of three loader layers: a C# loader, a PowerShell loader, and a batch loader. The batch loader is the starting point for decoding and unpacking each stage, ultimately activating the concealed malware. The batch loader includes an obfuscated PowerShell loader and an encrypted C# stub binary. BatCloak is a file obfuscation engine to obfuscate the batch loader and saves it on disk.
BatCloak has undergone several updates and adaptations, with the latest version known as ScrubCrypt. Fortinet FortiGuard Labs revealed this version in connection with a cryptojacking operation conducted by the 8220 Gang.
According to the researcher, the transition from an open-source framework to a closed-source model, seen in ScrubCrypt, was likely driven by the success of previous projects like Jlaive and the desire to monetize and protect the code from unauthorized replication.
The design of ScrubCrypt enables it to work with various established malware families, including Amadey, AsyncRAT, DarkCrystal RAT, Pure Miner, Quasar RAT, RedLine Stealer, Remcos RAT, SmokeLoader, VenomRAT, and Warzone RAT.
The evolution of BatCloak highlights its flexibility and adaptability, demonstrating the development of fully undetectable batch obfuscators. This technique plays a significant role in the modern threat landscape, emphasizing the need for robust security measures to counter such sophisticated attacks.
