BatCloak Slips Batch Files Past AV and EDR Detection
Malware developers are adopting an easy-to-use obfuscation tool that slips malware past antivirus, warn security researchers.
A batch file obfuscation engine known as BatCloak requires minimal programming skills to use. Among its recent successes is a recent remote access Trojan dubbed SeroXen that researchers from multiple firms said resists detection by antivirus and endpoint detection and response tools.
A SeroXen sample analyzed by AT&T in May provoked zero detections on VirusTotal. Analysis published by Trend Micro earlier this month, of hundreds of infected batch file samples taken from a public repository, concluded that BatCloak shielded 80% of the files from detection by security software. Batch files, often designated with a
.bat extension, are plain text files with scripts for a command-line interpreter.
SeroXen showed up in late 2022 and retailed for $30 a month or $60 outright. It is a variation of the well-established Quasar RAT, AT&T reported. The hacker apparently behind SeroXen used a still-active website,
seroxen.net, to distribute the Trojan, although the site currently says sales are suspended “as of now.” The site marketed the malware as “fully undetectable,” or “FUD.”
TrendMicro on Thursday released analysis that says one of the techniques BatCloak uses to hide SeroXen from detection is sophisticated string manipulation, which obfuscates the malware’s use of a Windows command prompt interface to designate environment variables through the
SeroXen concatenates variables together to execute a command – a method malware coders use to prevent malicious commands from detection. It ultimately uses obfuscated PowerShell commands to decrypt and deliver a
.bat loader first came to researchers’ attention as the obfuscation engine of Jlaive, an open-source batch file builder that began circulating among hackers in 2022. TrendMicro says the most recent version of the BatCloak engine is being sold as “ScrubCrypt.” Its developer’s decision to sell access rather than debut a new open-source tool is likely due to the success of Jlaive “as well as the desire to monetize the project and safeguard it against unauthorized replication.”