By: Peter Girnus, Aliakbar Zahravi
June 09, 2023
Read time: 3 min (681 words)
We look into BatCloak engine, its modular integration into modern malware, proliferation mechanisms, and interoperability implications as malicious actors take advantage of its fully undetectable (FUD) capabilities.
UPDATE as of 6/15/2023 7:30PM (PHT): We’ve updated this entry to include indicators of compromise (IOCs) for BatCloak.
In our recent investigation, we discovered the use of heavily obfuscated batch files utilizing the advanced BatCloak engine to deploy various malware families at different instances. Running analysis and sample collection from September 2022 to June 2023, we found that these batch files are designed to be fully undetectable (FUD) and have demonstrated a remarkable ability to persistently evade security solutions. As a result, threat actors can load various malware families and exploits by leveraging highly obfuscated batch files seamlessly. Our initial research titled “The Dark Evolution: Advanced Malicious Actors Unveil Malware Modification Progression” delves into the continuing evolution of BatCloak, uncovering the modifications that have propelled modern malware to new levels of security evasion.
This is the first entry in a three-part technical research series taking an in-depth look at the continuing evolution of the highly evasive batch obfuscation engine BatCloak. The second part of this series, “SeroXen Incorporates Latest BatCloak Engine Iteration,” will look into the remote access trojan (RAT) SeroXen, a piece of malware gaining popularity for its stealth and, in its latest iterations, targets gamers, enthusiast communities, and organizations. Aside from the RAT’s own tools, we will look into the updated BatCloak engine included as SeroXen’s loading mechanism. The third and last part of this series, “SeroXen Mechanisms: Exploring Distribution, Risks, and Impact,” will detail the distribution mechanisms of SeroXen and BatCloak. We also include our security insights on the community and demographic impact of this level of sophistication when it comes to batch FUD obfuscation.
Defying detection: A preview of BatCloak engine’s efficacy
We analyzed hundreds of batch samples sourced from a public repository. The results showed a staggering 80% of the retrieved samples exhibiting zero detections from security solutions. This finding underscores the ability of BatCloak to evade traditional detection mechanisms employed by security providers. Moreover, when considering the overall sample set of 784, the average detection rate was less than one, emphasizing the challenging nature of identifying and mitigating threats associated with BatCloak-protected pieces of malware.
Understanding the evolving landscape of advanced malware techniques such as FUD obfuscator BatCloak enables us to develop more effective strategies for combating the ever-evolving threats posed by these sophisticated adversaries. These findings highlight the pressing need for enhanced approaches to malware detection and prevention, such as a cutting-edge multilayered defensive strategy and comprehensive security solutions.
Security teams and organizations are advised to exercise a zero-trust approach. Teams should implement solutions capable of combining multiple rules, filters, and analysis techniques, including data stacking and machine learning to address the need for precise detection, as these tools can analyze individual and dynamic file signatures and observe patterns via heuristics and behavioral analysis. When uncertain of intrusions, behaviors, and routines, assume compromise or breach immediately to isolate affected artifacts or tool chains. With a broader perspective and rapid response, an organization can address these and keep the rest of its systems protected. Multilayered technologies and solutions, such as Trend Micro XDR™️, efficiently monitor, detect, and block tiered threats and attacks, as well as their clones and modified versions.
Instead of marking the end of an infection or an attack prior to the target because of siloed solutions, an extended detection and response capability across endpoint, servers, workloads, email, network, cloud, and identity observed from a single platform like Trend Vision One™️ can mitigate these risks by considering adversarial tactics, techniques, and procedures (TTPs) to profile the entirety of a routine. Trend Vision One also correlates with a connected threat intelligence system and rapidly prioritizes and responds with the necessary security and defensive actions as far left of the routine as possible.
Download the first part of our analysis on BatCloak engine here, and the indicators of compromise (IOCs) here and below :
The Dark Evolution: Advanced Malicious Actors Unveil Malware Modification Progression BatCloak Indicators of Compromise (IOCs) SHA256 of Trojan.BAT.BATCLOAK.A: 4981e6c42e66972a94077e3407823e212b7499f4be14c18e32e446b6bd5566d6 02169ca4a1fcaec423fdf033794f88266f1dec691ee527f91d9ef444b9e8fd00 024121ce693560695ffbb31714145647039dd0a33c7a637614ee3d408dd88c9b 02cd4e343fdfe9246977bd997ae7faa91b469df0bc9ed4c20cc2fa7898cb54e3 036132bcdc00e75dd71b6cba78c976ec50a52fd1b891a4f873bde87269007e0d 05e50707fc035d4045f52538cbd40df61bfc342ce90578780f169b0148e9e48a 06ee424a019da7a98de8ce82fde4b37037fd59f5f72ed882f63e7d054515785c 0a485b2a30d7818cadedc4b5c8d6a04cee2b4e98d58e292c4f6febc25553a43f 0ce9c7a4bc46fe2f92adf194767f02b460283ebd2100a4c4b6d9c8c03f05cc51 0e44555e8804fc351ca7b5369fef719691ebe3ac2e2dee92abe1359b06327ec3 0ea6d6a7f9532f5d6f2f1438349587aae83b7d82f7e92b3daa2b51658183308a 0f379d61a334d1cce8b67940696c527bb76392bdfae9f41bd4ea159aa0e8794e 1264fbc6fb67678c410dcea283342189c3f5a62b2cebfbbef3e5e88cae40c299 1cbab58e69089b40b0eca4aafa33bfb734707885c9d482f58da7fd2f22fa3f07 1ff46fa8630fe6104b6b31e88b4227474faa5b4891952381d745f0b6c1194d9a 2705be6a7e9fe94d0c90127bdd5cd3677af9a713b99ffaa302cd03d835b5b193 2fca9a8b9c2843001dd1f7d668f94f4aef6cf9fbfe0968dabd38c59f7ad7bf1b 378eea991cec20b879983f25c03c72d9c6492759ff0306267bb0af1934cecb5b 3ac9136078f802199506b4ce532fd221201b15d7d4eb84ce8a5128409d821c46 50e7ddd4d1fd4d6f57e5a39f9e31f20ea967a032ab60458af63bb43c0996b67b 545fa399c3d25ddeb9b1ce7dff99faf86b761937681a02377f6b22bab6953f74 57b573189433839f49b3694fb9dde7d6361a70d0d6d01b8bb5c052ac35e64966 5b1d862533bf0c6eddf0add97fe1d91f24489c9d43dba021a6cd433465abe670 5dc6ddbadfe77dae58755ab3524b8366ac52d6e4b0636cd5e88a9ee83fec93dd 66fbf321cb983176ab327c9357ab6970235263ed1f363960aa512adb255ce327 6fb3642107a5e541be64be269c91de20f10b5aba238a3552c0815ca290f0035e 720ec08526839f9f558439edeb86b0e30ed782edf0cfcc9709157e9963801a5c 735e591c7e0667087aff75f9923a7653b4f9661838e947d842171c20773a8913 73630f5690a1882296878e02fb9ef6ca8ab5f85bc60305682a872096ab59685e 7d1b4c45622ec5efebe8d6ef266a8ff8499285162305f2eb8eb3d09362b032dd 7dfe5e29b6278ddefa27217c26e09cd70c9ce2c920e30dd8e11d29b161a59fad 83046ab10ae92c337f7837191014d6f4aa792575947ad2ebbbdde247edabffad 846d4cf9af2e431ca61a7378fca693acc8cdf31348ce3bb09917de12e8a3de95 895d8257fc523a824e2eaf5a62a94e3cf2a3b87b797f696aa028f8443dd7a5e1 8ae18fc31866c3a35ede249b97457598e78cb6a0988df1dd58b9ddb1f3e88c05 8cf47ef94a01172ac5ed78fa657a2406e199691df02d58630d9b845dfd05007c 8df68758b29abe5c0807cc74221617052a175619121c1b41c1462e2e2c12d080 943c7e473924ff1efd4925eb8f2bf745008365f0256567009e5eb6d6b2f17e65 978361f5cea5e7b2ff801b74ed02a7e0a57ed80ac37c01a403b0614e789765c4 9949481d6311a298b4de1ac0d24d85583c8386bd03dc69cbb5995de475859ebc 994a9f76be5355444056833e0fdf5f9408ce6a028578571caa7eaaeb7176d50d 9c51fec7f9c7217fbaffef2e9476b1c74c6f9abdcfd68f58009307d3a1ced344 a07e12074c4013ff9a16b41822b9c2025fd42c2a6bb749f2489d533c73257bea ab0e910f7470bbe3f612646e420836937bb26dbf87b2df48d47480d2835f384a abd92088dc5a7a67ed7f0f27fac6b90cd3042f9c1966b3ec35798e3cf9d0b4ec b0da1288c592b5710ec6e33f0af7dd69f3264e98c7fcdc0089e9a26e1ebf607a b12ce995e5f3bd33f290be5ccd80ba847fcbde0d41ea53b8cb9f7f7cb25ab98d b9077ca1640423f6b085d5b72e6bd0aac7877b6f40886db9f5e150cc5ca4bf9f bb505db4936541c964c4f8c59e520b89ce83db76564f57548eebe8630758888a c1e77860cd66a98f34ba4cf5bf55370d35bfba1950b6f79a84ab2f90c48fed86 c4ec0641549cdb66a8f9040a53d9ead724a0e2902866b43221e02c2c4fdcb900 c737111db0397904414e315dbe4604f1705b3cd7ee5579d6c0751752de25877d c9259d18c1ba7e446406e206e0769ed74acc55c0cf40608c3e3d3ef6cc0e56c7 cda4e8d85f718233b93c4cfad2c28d333ffec523ebd32b1af47b6fa7c26345e6 cf8d86c39f7e76c889b6409ed9477c7b91f9424f491fb835f3643d8d55d5fd9e d3fe2ae10b1c2dd2cf7339ba91bb4fac4454149361a3a9e8069901e3ea56ea8b d45b5fde0b10a7d8a3227fac8b7af6f01adc8e78d6adc350588b7cebdd1c5894 d84390808d5a83d58d6f5544f9a717e736be234d18b4b607d8b8e842fb935d24 d8cde0701032e03ff9739889872547325881383791961a67ddebf07f8b80ab6a d9afd0b9174140c001d6b0c60d02f5ba0469a14733a159c0e44045641b814aa1 daa08a205eec4e318c3f3eb6a001ec5ae16d3870ca1f05b3e8bb6838082910d9 de1356d868e63b027791957accaa3087f18901ae87eb01f6f09b7b88e6958e79 df5497ffb3b407397424ce7992ed62d8907d570668c79f9daef40863702349c0 e101b85439062a92773b046bee20d076513b81ddaa946c28096454c9fb934e19 f52ee895d9e8fd600ce4ea05d4a95443c8916af33a1b7b8b668007813fb61f8b f62a915f1add8b29ebea13db7bc9c9314557f579631d0bebc3dc7044eaf7bbd7 f6a31c5a33d8b8dd38f39e31f27a32616cef12340c5a1b5914f8105abd22a710 fddce59e2c24f44c73c9913ca2415ec95f5a92cb2d94426aa4f8821952f2ddc2 fff222ff3c259db64dbd18e9382cc47ce8577a4069ba05b6db11b6b52d654294