Cybercriminals Using Powerful BatCloak Engine to Make Malware Fully Undetectable

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,178
Content source
https://thehackernews.com/2023/06/cybercriminals-using-powerful-batcloak.html
A fully undetectable (FUD) malware obfuscation engine named BatCloak is being used to deploy various malware strains since September 2022, while persistently evading antivirus detection.

The samples grant "threat actors the ability to load numerous malware families and exploits with ease through highly obfuscated batch files," Trend Micro researchers said.

About 79.6% of the total 784 artifacts unearthed have no-detection across all security solutions, the cybersecurity firm added, highlighting BatCloak's ability to circumvent traditional detection mechanisms.

The BatCloak engine forms the crux of an off-the-shelf batch file builder tool called Jlaive, which comes with capabilities to bypass Antimalware Scan Interface (AMSI) as well as compress and encrypt the primary payload to achieve heightened security evasion.

The open-source tool, although taken down since it was made available via GitHub and GitLab in September 2022 by a developer named ch2sh, has been advertised as an "EXE to BAT crypter." It has since been cloned and modified by other actors and ported to languages such as Rust.

The final payload is encapsulated using three loader layers – a C# loader, a PowerShell loader, and a batch loader – the last of which acts as a starting point to decode and unpack each stage and ultimately detonate the concealed malware.

"The batch loader contains an obfuscated PowerShell loader and an encrypted C# stub binary," researchers Peter Girnus and Aliakbar Zahravi said. "In the end, Jlaive uses BatCloak as a file obfuscation engine to obfuscate the batch loader and save it on a disk."

Malware Fully Undetectable
Click to expand...


www.trendmicro.com

Analyzing the FUD Malware Obfuscation Engine BatCloak

We look into BatCloak engine, its modular integration into modern malware, proliferation mechanisms, and interoperability implications as malicious actors take advantage of its fully undetectable (FUD) capabilities.
www.trendmicro.com www.trendmicro.com
 
  • Like
  • Wow
  • +Reputation
Reactions: brambedkar59, upnorth, [correlate] and 9 others
silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,178
Kaspersky's "System Watcher" by default does prevent/block most attacks even by sophisticated malware.

You can also tweak for increased protection in K. paid versions, formerly named Application Control, current name: Intrusion Prevention.

I see your new thread, you just should check/read the links shared by our forum members:
malwaretips.com

Advice Request - What Kaspersky Configuration can I do to provide the largest amount of Protection Possible?

I've seen alot of guides related to heavily increasing the protection of Kaspersky via HIPS. I want to know the best possible configuration to both have extremely high detection rates of malware, while also utilizing HIPS to reduce any damage that undetected malware can do.
malwaretips.com malwaretips.com
 
  • Like
Reactions: Kongo, upnorth, vtqhtr413 and 4 others
Xeno1234

Xeno1234

Level 14
Jun 12, 2023
699
silversurfer said:
Kaspersky's "System Watcher" by default does prevent/block most attacks even by sophisticated malware.

You can also tweak for increased protection in K. paid versions, formerly named Application Control, current name: Intrusion Prevention.

I see your new thread, you just should check/read the links shared by our forum members:
malwaretips.com

Advice Request - What Kaspersky Configuration can I do to provide the largest amount of Protection Possible?

I've seen alot of guides related to heavily increasing the protection of Kaspersky via HIPS. I want to know the best possible configuration to both have extremely high detection rates of malware, while also utilizing HIPS to reduce any damage that undetected malware can do.
malwaretips.com malwaretips.com
Click to expand...
I assume Kaspersky blocks most of these, but then again no software is perfect.
 
  • Like
Reactions: [correlate]
F

ForgottenSeer 97327

Disabled CMD (and cmd and bat scripts) since 2019 without problems. Time to put this dinosaurus command shell introduced in the first Windows NT version 30 years ago to the grave o_O:oops::cool:

Just enable all protections in Microsoft Defender Exploit Protection (also works when you use a third-party antivirus). .
1686723748615.png
 
Last edited by a moderator:
  • Like
Reactions: [correlate] and Andy Ful
Xeno1234

Xeno1234

Level 14
Jun 12, 2023
699
Max90 said:
Disabled CMD (and cmd and bat scripts) since 2019 without problems. Time to put this dinosaurus command shell introduced in the first Windows NT version 30 years ago to the grave o_O:oops::cool:

Just enable all protections in Microsoft Defender Exploit Protection (also works when you use a third-party antivirus). .
View attachment 276124
Click to expand...
That works and doesnt cause issues?
 
  • Like
Reactions: [correlate]
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,145
Xeno1234 said:
Also, how do you do it lol?
Click to expand...
This one is enough to block most console applications via Exploit Protection (run from the PowerShell Administrator console):

Code: 
Set-ProcessMitigation -Name program.exe -Enable DisableWin32kSystemCalls

Back to allowing program.exe:
Code: 
Set-ProcessMitigation -Name program.exe -Disable DisableWin32kSystemCalls

This can also be done from Security Center by enabling the mitigation "Disable Win32k system calls" for the application program.exe (Add by program name). If you change program ---> cmd, the cmd console will be blocked. The same can be done for most LOLBins.

1686822548147.png


1686822769529.png
 
Last edited:
  • Like
Reactions: Gandalf_The_Grey, Zartarra, simmerskool and 4 others
You must log in or register to reply here.

Similar threads

Practical Response
    • Like
    • +Reputation
Scams & Phishing News Attackers Using Obfuscation Tools to Deliver Multi-Stage Malware via Invoice Phishing
Replies
8
Views
1,519
Security News
Practical Response
Practical Response
silversurfer
    • Like
    • +Reputation
Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTPULSE Malware
Replies
0
Views
569
News Archive
silversurfer
silversurfer
Gandalf_The_Grey
    • +Reputation
    • Like
AceCryptor: Cybercriminals' Powerful Weapon, Detected in 240K+ Attacks
Replies
0
Views
783
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top