Cybercriminals Use the Powerful BatCloak Engine to make malware undetected by AntiVirus

Since September 2022, various malware strains have been deployed using a fully undetectable (FUD) malware obfuscation engine known as BatCloak, consistently evading antivirus detection.

Trend Micro researchers stated that the samples enable “threat actors the ability to load numerous malware families and exploits with ease through highly obfuscated batch files.”

The cybersecurity company went on to say that, out of the 784 artifacts found, 79.6 percent have no detection in any security solution. This shows that BatCloak can get around traditional detection mechanisms.
The BatCloak motor structures the core of an off-the-rack bunch record developer instrument called Jlaive, which accompanies abilities to sidestep Antimalware Output Point of interaction (AMSI) as well as pack and scramble the essential payload to accomplish uplifted security avoidance.

The open-source application, which was advertised as an “EXE to BAT crypter” before it was removed from GitHub and GitLab in September 2022 by a developer named ch2sh, has been removed from those platforms. Since then, other actors have cloned it, changed it, and translated it into languages like Rust.
Three loader layers are used to enclose the final payload: a batch loader, a PowerShell loader, and a C# loader. The batch loader is the starting point for decoding and unpacking each stage and, in the end, detonating the hidden malware.

According to Peter Girnus and Aliakbar Zahravi, researchers, “The batch loader contains an encrypted C# stub binary and an obfuscated PowerShell loader.” In the end, Jlaive uses BatCloak as a file obfuscation engine to obfuscate and save the batch loader to a disk.”

Since its introduction into the wild, BatCloak is said to have undergone numerous updates and modifications. The most recent of these is ScrubCrypt, which was first highlighted by Fortinet FortiGuard Labs in connection with a cryptojacking operation carried out by the 8220 Gang.

According to the researchers, “the developer of ScrubCrypt’s decision to transition from an open-source framework to a closed-source model can be attributed to the achievements of prior projects such as Jlaive, as well as the desire to monetize the project and safeguard it against unauthorized replication.”

Amadey, AsyncRAT, DarkCrystal RAT, Pure Miner, Quasar RAT, RedLine Stealer, Remcos RAT, SmokeLoader, VenomRAT, and Warzone RAT are just a few of the well-known malware families that ScrubCrypt is designed to work with.

The researchers came to the following conclusion: “The evolution of BatCloak highlights the development of FUD batch obfuscators and highlights the flexibility and adaptability of this engine.” This demonstrates the technique’s prevalence throughout the contemporary threat landscape.”