A malware obfuscation engine called BatCloak has been actively used since September 2022 to deploy different types of malware, managing to avoid detection by antivirus programs.
According to researchers from Trend Micro, this engine allows threat actors to load various malware families quickly and exploits them through highly disguised batch files.
Source: Fortinet
Remarkably, about 79.6% of the 784 artifacts discovered remained undetectable by all security solutions, highlighting BatCloak’s ability to evade traditional detection methods.
What is FUD malware?
The term “fully undetectable malware” or FUD describes malicious software that aims to evade antivirus and security solutions. To attain FUD status, malware employs encryption, obfuscation, and polymorphism.
Source: Twitter
The objective of FUD malware is to stay utterly unnoticed within compromised systems, enabling threat actors to engage in a broad range of malicious actions, including but not limited to cyber espionage. The attainment of FUD status typically occurs gradually through an ongoing cycle of continuous malware advancement.
Is it really undetectable?
This technology’s heart is a batch file builder tool called Jlaive, which is wholly undetectable and incorporates features to bypass the Antimalware Scan Interface (AMSI). It can also compress and encrypt the primary payload, enhancing its ability to evade security measures.
Although Jlaive was initially released as an “EXE to BAT crypter” on platforms like GitHub and GitLab by a developer named ch2sh, it has been cloned and modified by other individuals, who have even ported it to different programming languages like Rust.
Source: Trendmicro
How does it work?
The final payload is concealed within three loader layers:
- C# loader
- PowerShell loader
- batch loader.
The batch loader is the initial point to decode and unpack each stage, ultimately triggering the hidden malware. An obfuscated PowerShell loader and an encrypted C# stub binary are within the batch loader. Jlaive leverages BatCloak as a file obfuscation engine to camouflage the batch loader and store it on the disk.
BatCloak has undergone several updates and adaptations since it first emerged, with the most recent version being ScrubCrypt, which was connected to a crypto-jacking operation conducted by the 8220 Gang and initially reported by Fortinet FortiGuard Labs.
Source: Fortinet
The developer of ScrubCrypt chose to transition from an open-source framework to a closed-source model to protect the project against unauthorized replication and monetize its capabilities.
Notably, ScrubCrypt is designed to be compatible with various well-known malware families, such as Amadey, AsyncRAT, DarkCrystal RAT, Pure Miner, Quasar RAT, RedLine Stealer, Remcos RAT, SmokeLoader, VenomRAT, and Warzone RAT.
What to learn?
The evolution of BatCloak demonstrates the flexibility and adaptability of this engine and highlights the development of fully undetectable batch obfuscators. This technique is widely utilized across the modern threat landscape, showcasing its prevalence in cybersecurity.
The upward trajectory techniques of such malware organizers have made it important that we comply with a multi-layered defense strategy and comprehensive security solutions. Another remote access trojan (RAT) called SeroXen is also part of FUD malware, having the limelight for better security protocols.
PureVPN
June 15, 2023
2 years ago
