Fully Undetectable (FUD) malware obfuscation engine named batmant has been used to deploy various malware strains since September 2022 while continuously evading antivirus detection.
Trend Micro researchers said the sample “allows threat actors to easily load numerous malware families and exploits through highly obfuscated batch files.”
About 79.6% of the total 784 artifacts unearthed went undetected across all security solutions, the cybersecurity firm added, highlighting BatCloak’s ability to evade traditional detection mechanisms.
The BatCloak engine forms the core of an off-the-shelf batch file builder tool called Jlaive. The tool has the ability to bypass the Anti-Malware Scanning Interface (AMSI) and compress and encrypt the primary payload for advanced security evasion.
This open-source tool has since been made available via GitHub and GitLab in September 2022 by a developer named ch2sh, but has since been promoted as an “EXE to BAT crypter”. It has since been cloned and modified by other actors and ported to languages like Rust.
The final payload is encapsulated using three loader layers: C# loader, PowerShell loader, and batch loader. The final loader layer serves as the starting point for decoding and decompressing each stage and finally detonating the hidden malware.
“The batch loader contains an obfuscated PowerShell loader and an encrypted C# stub binary,” said researchers Peter Girnus and Aliakbar Zahravi. “Finally, Jlaive uses his BatCloak as the file obfuscation engine to obfuscate the batch loader and save it to disk.”
BatCloak is said to have undergone numerous updates and adaptations since its appearance in the wild, the latest version being ScrubCrypt, by Fortinet FortiGuard Labs in connection with a cryptojacking operation staged by the 8220 gang. noticed for the first time.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
“The decision made by the developers of ScrubCrypt to move from an open source framework to a closed source model can be attributed to previous projects such as Jlaive and a desire to monetize and protect the project. It prevents unauthorized duplication,” the researchers said.
Additionally, ScrubCrypt is designed to interoperate with various well-known malware families such as Amadey, AsyncRAT, DarkCrystal RAT, Pure Miner, Quasar RAT, RedLine Stealer, Remcos RAT, SmokeLoader, VenomRAT, and Warzone RAT.
The researchers concluded, “BatCloak’s evolution underscores the flexibility and adaptability of this engine and the development of FUD batch obfuscation tools.” “This demonstrates the presence of this technique throughout the modern threat landscape.”
