Cybercriminals Using Powerful BatCloak Engine to Make Malware Fully Undetectable

2023-06-12 10:03

A fully undetectable malware obfuscation engine named BatCloak is being used to deploy various malware strains since September 2022, while persistently evading antivirus detection.

The samples grant "Threat actors the ability to load numerous malware families and exploits with ease through highly obfuscated batch files," Trend Micro researchers said.

The BatCloak engine forms the crux of an off-the-shelf batch file builder tool called Jlaive, which comes with capabilities to bypass Antimalware Scan Interface as well as compress and encrypt the primary payload to achieve heightened security evasion.

The final payload is encapsulated using three loader layers - a C# loader, a PowerShell loader, and a batch loader - the last of which acts as a starting point to decode and unpack each stage and ultimately detonate the concealed malware.

"In the end, Jlaive uses BatCloak as a file obfuscation engine to obfuscate the batch loader and save it on a disk."

What's more, ScrubCrypt is designed to be interoperable with various well-known malware families like Amadey, AsyncRAT, DarkCrystal RAT, Pure Miner, Quasar RAT, RedLine Stealer, Remcos RAT, SmokeLoader, VenomRAT, and Warzone RAT. "The evolution of BatCloak underscores the flexibility and adaptability of this engine and highlights the development of FUD batch obfuscators," the researchers concluded.

News URL

https://thehackernews.com/2023/06/cybercriminals-using-powerful-batcloak.html

#cybercriminal #malware

News URL

Related news