Trend Micro has issued a warning about the effectiveness of a tool called BatCloak, which is designed to conceal batch files and has enabled malicious BAT files to evade detection by antivirus engines with an impressive success rate of 80%. Researchers have discovered numerous heavily obfuscated batch files that are being used to deploy modified and completely undetectable malware. These files utilize BatCloak for obfuscation.
In a detailed analysis of hundreds of batch samples obtained from a public repository, it was found that 80% of the samples went undetected by security solutions. This highlights the effectiveness of BatCloak in bypassing traditional detection methods used by security tools.
Out of a total of 784 samples examined, the average detection rate was less than one, indicating the challenges involved in identifying and mitigating threats associated with malware protected by BatCloak.
Since 2022, the majority of collected samples have consistently evaded antivirus detection, enabling threat actors to easily load different malware families and exploits using extensively obfuscated batch files.
ScrubCrypt is the latest version of the BatCloak engine, representing a significant advancement in batch obfuscation techniques. The developers have shifted from an open-source framework to a closed-source model, motivated by the success of previous projects like Jlaive and the desire to monetize the project while protecting it from unauthorized replication.
In addition to its ability to make malware fully undetectable, ScrubCrypt incorporates features aimed at bypassing host-based security measures, including UAC bypass, anti-debugging capabilities, AMSI bypass, and Event Tracing for Windows (ETW) bypass. The 8220 gang used ScrubCrypt in a campaign between January and February, targeting Oracle Weblogic Server vulnerabilities for the purpose of cryptomining.
This ongoing research highlights the continuous development of the BatCloak engine, which aims to be compatible with a wide range of malware families, demonstrating its impressive versatility and adaptability in the field of batch obfuscation. This underscores the prevalence of this technique in today's threat landscape and the need for a better understanding of threat actor tactics, techniques, and procedures to effectively counter such intrusions.