BatCloak’s New Obfuscation Engine Outperforms 80% of Antiviruses

Batcloak obfuscation engine

Trend Micro researchers reported recently that since September 2022, attackers have been actively using a malware obfuscation engine called BatCloak, which allows cybercriminals to effectively hide malicious code from antivirus solutions.

According to experts, with BatCloak attackers can easily download different families of malware and exploits through heavily obfuscated batch files. Of the 784 malware detected by researchers, almost 80% were not detected by any of VirusTotal’s antivirus engines.

Let me remind you that we also wrote that ChatGPT Has Become A New Tool For Cybercriminals In Social Engineering, and also that Russian Hacker Sells Terminator Tool That Is Allegedly Able To Bypass Any Antivirus Programs.

BatCloak is the basis for a batch file building tool called Jlaive that can bypass the Antimalware Scan Interface (AMSI) and compress and encrypt the main payload to increase evasion levels.

The Jlaive tool was published on GitHub and GitLab in September 2022 by a developer under the pseudonym ch2sh as “EXE to BAT crypter“. It has since been copied, modified and ported to other programming languages.

The final payload is a “three-layer loader” – a C# loader, a PowerShell loader, and a batch loader. The latter serves as the starting point for decoding and unpacking each stage, and ultimately launching the hidden virus.

Batcloak obfuscation engine
BatCloak attack chain

BatCloak has received many updates and adaptations since it first appeared in the wild (ITW). Its latest version is called ScrubCrypt and was isolated by Fortinet experts during an investigation into a cryptojacking operation by the 8220 gang.

The decision to move from an open framework to a closed one, made by the ScrubCrypt developer, can be explained by the achievements of previous projects, such as Jlaive, as well as the desire to monetize the project and protect it from unauthorized copying.Trend Micro experts suggested.

In addition, ScrubCrypt is designed to be compatible with various well-known malware families such as Amadey, AsyncRAT, DarkCrystal RAT, Pure Miner, Quasar RAT, RedLine Stealer, Remcos RAT, SmokeLoader, VenomRAT, and Warzone RAT.

The evolution of BatCloak highlights the flexibility and adaptability of this engine and highlights the development of batch file FUD obfuscators.the researchers concluded.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *