A highly effective malware obfuscation engine known as BatCloak Engine has been employed since September 2022 to distribute different types of malware while skillfully avoiding detection by antivirus programs.
According to researchers from Trend Micro, the samples allow “threat actors to effortlessly load numerous families of malware and exploits using heavily obfuscated batch files.” The cybersecurity company further revealed that approximately 79.6% of the 784 artifacts discovered remained undetected by all security solutions, emphasizing the capability of BatCloak to bypass conventional detection mechanisms.
At the core of an off-the-shelf batch file builder tool called Jlaive lies the BatCloak engine. This tool enables users to evade Antimalware Scan Interface (AMSI), compress and encrypt the primary payload, and achieve enhanced security evasion.
Although Jlaive was originally an open-source tool released on GitHub and GitLab in September 2022 by a developer named ch2sh, it has been marketed as an “EXE to BAT crypter.” Since then, other actors have cloned, modified, and ported to languages like Rust.
The final payload is concealed through three loader layers: a C# loader, a PowerShell loader, and a batch loader. The batch loader serves as the initial point for decoding and unpacking each stage, ultimately activating the hidden malware.
“The batch loader consists of an obfuscated PowerShell loader and an encrypted C# stub binary,” researchers Peter Girnus and Aliakbar Zahravi explained. “In the end, Jlaive utilizes BatCloak as a file obfuscation engine to obscure the batch loader and store it on a disk.”
BatCloak has undergone numerous updates and adaptations since its emergence, with the most recent version being ScrubCrypt. Fortinet FortiGuard Labs initially brought attention to ScrubCrypt due to its association with a crypto-jacking operation carried out by the 8220 Gang.
The researchers noted that the transition from an open-source framework to a closed-source model, as seen with ScrubCrypt, can be attributed to the success of previous projects like Jlaive and the aim to monetize the project while protecting it against unauthorized replication.
Furthermore, ScrubCrypt is designed to be compatible with various well-known malware families, including Amadey, AsyncRAT, DarkCrystal RAT, Pure Miner, Quasar RAT, RedLine Stealer, Remcos RAT, SmokeLoader, VenomRAT, Warzone RAT.
“The evolution of BatCloak demonstrates the flexibility and adaptability of this engine, highlighting the development of fully undetectable batch obfuscators,” concluded the researchers. “This showcases the prevalence of this technique in the contemporary threat landscape.”