Securonix researchers have identified OBSCURE#BAT, an advanced malware campaign that targets English-speaking users through social engineering tactics. The campaign uses heavily obfuscated code and sophisticated rootkits to hide malicious activities on compromised systems. Attackers deploy fake CAPTCHA screens on typosquatted domains and trick users into running malicious batch files that initiate the infection. Once executed, the malware installs a user-mode rootkit, capable of hiding files, registry entries, and processes from standard detection methods.
The attack’s first infection vector involves fake Cloudflare CAPTCHA screens that lead users to execute malicious code.
The second method disguises malware as legitimate software downloads, including SIP software, Tor Browser, and Adobe applications. These methods allow the malware to evade detection by traditional antivirus tools, as it achieves a low detection rate on VirusTotal. The obfuscation techniques, including variable definitions and character substitutions, make it difficult for security solutions to identify the batch files as malicious.
Once deployed, the rootkit modifies system processes, registry entries, and files, making them invisible to common tools like Task Manager and Explorer. It uses API hooking techniques to hide malicious activity and creates hidden scheduled tasks that ensure the malware persists on the system. OBSCURE#BAT further embeds itself by installing a fake driver and monitoring user clipboard activity for later exfiltration.
This sophisticated malware hides its presence while enabling attackers to maintain control over infected systems.
Detecting OBSCURE#BAT is challenging due to its multi-layered evasion techniques, including AMSI bypassing and API hooking. Security experts recommend vigilance against social engineering attacks and ensuring software downloads are legitimate. Organizations should deploy endpoint logging solutions and monitor for signs of OBSCURE#BAT infections. As attackers develop increasingly sophisticated methods, defense-in-depth strategies, user education, and advanced monitoring are crucial to mitigating the risks posed by rootkit-based malware like OBSCURE#BAT.
