BatCloak Obfuscation Engine Used to Spread Malware Undetected
Since September 2022, a malware obfuscation engine known as BatCloak has been utilized to distribute different strains of malware without being detected by antivirus systems. Trend Micro researchers have stated that these samples allow threat actors to effortlessly load numerous malware families and exploits using highly obfuscated batch files. Notably, approximately 79.6% of the 784 artifacts discovered have remained undetected by all security solutions, indicating BatCloak's ability to evade traditional detection methods.
Batch Files Used to Obfuscate Payloads
The BatCloak engine plays a crucial role in a readily available batch file builder tool called Jlaive. Jlaive offers features such as bypassing the Antimalware Scan Interface (AMSI), compressing, and encrypting the main payload to enhance security evasion. Although the open-source tool, initially shared on GitHub and GitLab in September 2022 by a developer named ch2sh, has been removed, it was advertised as an "EXE to BAT crypter." It has since been cloned, modified, and ported to other programming languages like Rust.
The final payload is concealed using three loader layers: a C# loader, a PowerShell loader, and a batch loader. The batch loader serves as the starting point to decode and unpack each stage, ultimately triggering the hidden malware. Within the batch loader, an obfuscated PowerShell loader and an encrypted C# stub binary can be found. Researchers Peter Girnus and Aliakbar Zahravi explained that Jlaive utilizes BatCloak as a file obfuscation engine to obscure the batch loader and store it on the disk.
BatCloak Updated Continuously
BatCloak has undergone multiple updates and adaptations since its appearance in the wild, with the latest version being ScrubCrypt. Fortinet FortiGuard Labs highlighted ScrubCrypt in connection with a cryptojacking campaign orchestrated by the 8220 Gang. Notably, ScrubCrypt is designed to be compatible with various well-known malware families, including Amadey, AsyncRAT, DarkCrystal RAT, Pure Miner, Quasar RAT, RedLine Stealer, Remcos RAT, SmokeLoader, VenomRAT, and Warzone RAT.