A batch file obfuscation tool dubbed “BatCloak” has an 80% success rate when it comes to allowing malicious BAT (batch) files to slip past antivirus detection engines. Researchers warn that tools using the BatCloak component are becoming increasingly popular with adversaries, making the already difficult task of detecting BAT files harder.
Malicious batch files are commonly used by malicious hackers to infiltrate network and computer systems. BAT files are simply text files containing a sequence of commands or scripts that are used to run friendly Windows-based routines and run applications. However, adversaries can craft hard to detect BAT files using obfuscation techniques to avoid detection by antivirus software vendors. For example the hacker collective known as TrickBot was well known for obfuscating batch scripts to plant malicious executables on systems.
According to a report released last week by Trend Micro BAT files hidden by BatCloak demonstrate “a remarkable ability to persistently evade security solutions.”
“The vast majority of these samples gathered since 2022 are capable of persistently evading antivirus detection, granting threat actors the ability to load numerous malware families and exploits with ease through highly obfuscated batch files,” according to the full report (PDF).
FUD or FUD?
Researchers are classifying BatCloak as “fully undetectable malware” or FUD. Trend Micro's use of the term FUD should not be confused with the acronym FUD, a popular shorthand in information security circles for overhyped, underinformed analysis that spreads unnecessary fear, uncertainty and doubt (FUD).
“To achieve FUD status, a piece of malware might employ combined techniques such as encryption, obfuscation, and polymorphism,” Trend Micro researchers Peter Girnus and Aliakbar Zahravi wrote. “The goal of a piece of FUD malware is to remain completely undetected in compromised systems, allowing threat actors to carry out a wide range of malicious activities that include but are not limited to cyberespionage,” they wrote.
Trend Micro said of the hundreds of sample BAT files collected from public repositories, 80% (or 784) “were not being detected by antivirus solutions.”
How BatCloak cloaks malicious scripts
Malicious BAT files have always been a challenge for antivirus engines. As one article put it “batch scripts are too variable in order to write a working malicious script detector that catches new or ‘custom’ malware scripts. You're likely to see the AV catching anything particularly prolific, but almost certainly not anything new or custom.”
That said, BatCloak ups the ante, Trend Micro said, by turning the obfuscation tactic into an easy-to-use tool that adversaries of any skill level can leverage in attacks. Researchers tie BatCloak closely to another, now abandoned, BAT obfuscation tool called Jlaive.
“Jlaive is an antivirus evasion tool that can convert executables into undetectable batch files. Obfuscated .NET assemblies are not guaranteed to work,” according to a GitHub description of the tool. Trend Micro said that the BatCloak engine is the core engine of Jlaive’s obfuscation algorithm, now repurposed. The BatCloak functionality is specifically tied to the instructions “LineObfuscation.cs and FileObfuscation.cs” used in the Jlaive crimeware.
BatCloak used in ScrubCrypt malware toolkit
The two .cs instructions work together to create the Jlaive obfuscation algorithm (also called by Trend Micro as BatCloak.)
“The FileObfuscation.cs algorithm contains the logic responsible for obfuscating batch files. The code responsible is organized within the namespace BatCloak, containing a single class named FileObfuscation that contains the Process method,” researchers said.
While it appears the Jlaive code repository was abandoned, researchers “discovered that BatCloak was its own standalone repository.”
Threat actors behind Jlaive contributed to numerous iterations and adaptations of the BatCloak engine, according to Trend Micro. Other obfuscation projects include CryBat, Exe2Bat, SeroXen and the most recent version ScrubCrypt.
Unlike the open-source toolkit Jlaive, the ScrubCrypt is closed-source. Researchers said this is an attempt by adversaries to better monetize ScrubCrypt and BatCloak and dissuade unauthorized use by other criminals. Beyond the inclusion of the BatCloak obfuscation engine, ScrubCrypt is a pedestrian crime tool offering crimeware staples such as user account control bypass and point-and-click options to plant a host of remote access trojan (RAT) malware families such as SmokeLoader and VenomRAT on targeted systems.
Trend Micro warns that adversaries will likely continue to push the highly-effective BatCloak engine in future crime tools, and the presence of BatCloak in numerous malware families serves as a compelling testament to the engine’s inherent modularity.
