By: Peter Girnus, Aliakbar Zahravi
June 15, 2023
Read time: 7 min (2020 words)

We looked into the documented behavior of SeroXen malware and noted the inclusion of the latest iteration of the batch obfuscation engine BatCloak to generate a fully undetectable (FUD) .bat loader. This is the second part of a three-part series documenting the abuse of BatCloak’s evasion capabilities and interoperability with other malware.

The recent rise of highly sophisticated malware’s ability to evade detection through fully undetectable (FUD) capabilities, low-cost financial accessibility, and minimal skill barriers have created a pervasive threat targeting online communities and organizations. One particular malware known as SeroXen has deployed an advanced, fully undetectable (FUD) technique via highly obfuscated batch files to infect victims with hVNC-(Hidden Virtual Network Computing) capable malware.

This entry is the second installment of a three-part series featuring BatCloak engine, its iterations, and inclusion in SeroXen malware as the main loading mechanism. The first entry, titled “The Dark Evolution: Advanced Malicious Actors Unveil Malware Modification Progression,” looked into the beginnings and evolution of the BatCloak obfuscation engine. The third part of this series, “SeroXen Mechanisms: Exploring Distribution, Risks, and Impact,” analyzes the distribution mechanism of SeroXen and BatCloak, including the security impact and insights of FUD batch obfuscation. As of this writing, a quick online search for SeroXen will show top results for an official website and social media and sharing pages with videos on how to use the remote access trojan (RAT) as if it were a legitimate tool. We will go over these dissemination strategies in the subsequent entry.

SeroXen’s FUD batch patterns

To attain FUD status, the obfuscation patterns employed in SeroXen have shown multilayered tiers in its evolution, evolving from notable predecessors such as Jlaive, BatCloak, CryBat, Exe2Bat, and ScrubCrypt. Notably, the author of these FUD tools is acknowledged as a contributor in various instances, including attributions present on the main SeroXen website and forum posts authored by the individual behind SeroXen.

Examining the SeroXen infection chain

To successfully initiate the infection process, the targeted user is lured into executing a batch file. These lures are often presented as software-specific to enthusiast groups such as gaming communities. The infection process’ efficiency is enhanced because of the batch file’s FUD capability.

We found a compilation of compromised archives associated with cheats pertaining to prominent game titles. Each of these archives harbors a highly obfuscated batch file that serves as the infection vector initiating a SeroXen infection. Alarmingly, none of the archives exhibited any form of security solution detection. In most instances, these malicious archives are hosted on the Discord CDN (content delivery network) catering to specific interested communities, but they could also be hosted on any number of cloud storage options as well as special interest forums.

Taking a visual representation of a SeroXen sample submitted to a public repository under the false pretense of being a popular online video game cheat, the sample showcases the comprehensive concealment capabilities inherent. Through investigative analysis, we found a consistent pattern in the dimensions of SeroXen’s obfuscated batch files, which commonly exhibit sizes ranging from approximately 10MB to 15MB.

Analyzing the obfuscation patterns deployed by SeroXen

To develop a comprehensive understanding of the obfuscation algorithm utilized within SeroXen, we conducted an in-depth examination on a multitude of heavily obfuscated batch files. The figure sample exhibits an obfuscated SeroXen batch payload camouflaged under the guise of a Fortnite hack.

The batch obfuscation patterns implemented by the SeroXen FUD algorithm can be summarized as follows:

1. Suppression of console output through the inclusion of the directive “@echo off”
2. Utilization of sophisticated string manipulation techniques to obfuscate the initial “set” command
3. Assignment of the “set” command to a user-defined variable
4. Assignment of equal operations (“=”) to a user-defined variable
5. Utilization of steps 3 and 4 to assign values to the additional user-defined variables
6. Concatenation of variables at the conclusion of the obfuscation process to construct a command, which is subsequently executed

Furthermore, our investigation showed that the implementation of layered obfuscation techniques alongside the incorporation of superfluous code fragments or “junk code” were employed to impede the analysis of the batch file hindering detections.

Summary of commands executed during the SeroXen infection process

We break down the core commands concatenated and executed in order to infect the victim as follows:

1. Ensure all batch commands run are suppressed with “@echo off”
2. Copy the PowerShell executable from System32 to the current directory
3. Set the current directory
4. Name this copied PowerShell after the batch filename with an appended .exe, such as <mal_bat>.exe
5. Use the PowerShell command to decrypt and execute the encrypted payload
6. Build the final PowerShell command used to decrypt the final payload
7. Use the static operator to decrypt the final payload

Analyzing the deobfuscated SeroXen batch files

During our technical analysis of FUD-enabled SeroXen batch payloads, we were able to deobfuscate the commands associated with its execution and patch key points in its operation to dump the deobfuscated version.

If we compare the deobfuscated sample presented with the highly obfuscated sample (Figure 3), we can demonstrate the core function of the batch script: to generate a series of set commands in an obfuscated manner to evade detection. We see the result of the numerous obfuscated set commands in its deobfuscated equivalent. Throughout the obfuscated batch file, numerous variables are concatenated together to be executed.

Analyzing the final PowerShell decryption command

The PowerShell command to be executed in the FUD obfuscated batch file is a series of hidden PowerShell commands used to decrypt and deliver the .Net loader.

The deobfuscated sequence of PowerShell commands decrypt the payload and employ an assembly reflection mechanism to reflectively load it. The essential characteristics of the final sequence of PowerShell commands include:

1. Decode payload using Base64
2. Decrypt payload using AES OR XOR algorithm. In the case of AES:
   • Instantiate an AES decryption object with the cipher block chaining (CBC) mode
   • Use a Base64 blob for the key and IV
3. Unzip the payload
4. Reflectively load the payload

From the next figure, we demonstrate how the C# loader is decrypted from the deobfuscated batch files, after which we unzip the decrypted archive to drop the .Net binary.

We decoded the payload using Base64, which is then AES-decrypted using the deobfuscated Key and IV and finally gunzipped to reveal the .Net loader. This payload is then loaded into memory using reflection.

Deep dive into SeroXen builder

The SeroXen builder binary file is protected by the Agile .NET. After unpacking the functions and builder resources, this section shows that SeroXen is a modified version of Quasar RAT with a rootkit and other modifications, such as adopting the loader builder Jlaive and BatCloak obfuscation engine to generate a FUD .bat loader. The evolution and technical analysis of Jlaive and BatCloak was discussed in part 1 of this series.

As of this writing, SeroXen offers monthly and lifetime key options for purchase online, as well as instructions for using the RAT. We go over this in detail in the third installment of this series as part of the cybercriminals’ distribution strategies.

SeroXen payload generation process

Upon pressing the “build” button, the builder writes the user-given configuration to the pre-compiled file called “client.bin,” and this produces the Quasar RAT payload and passes it to a function called “Crypt.”  

The Crypt function employs the Jlaive crypter multi-stage loader generator and BatCloack obfuscator source code to produce undetectable loaders. This function first reads the Quasar RAT payload content and verifies if it is a valid .NET assembly. Crypt then patches some string and opcode within the binary and encrypts it using the AES algorithm with CBC cipher mode, and saves it as “payload.exe.” 

Much like a Jlaive crypter, the builder takes in user configuration and produces the first loader. This is achieved using a C# template file, “Quasar.Server.Stub.cs,” found embedded within its resources. The author has integrated an extra functionality in this adapted version of the Jlaive CreateCS function such as API unhooking.

Apiunhooker.dll is an open-source project called “SharpUnhooker,” which is a C#-based universal API unhooker that automatically Unhooks API Hives (i.e., ntdll.dll, kernel32.dll, advapi32.dll, and kernelbase.dll). This technique is used to attempt evading user-land monitoring done by antivirus technologies and/or endpoint detection and response (EDR) solutions by cleansing or refreshing API DLLs that loaded during the process.

The builder subsequently compiles the C# loader stub, adding necessary files and dependencies such as encrypted Quasart RAT (payload.exe) and SharpUnhooker (Apiunhooker.dll) to its resources. 

Next, the builder compresses the C# loader, encrypts it using AES/XOR (depending on the configuration), and encodes it in Base64. Finally, it creates a batch file and includes the encoded C# loader binary into it. It also manages the compression, decoding, and decryption processes using an obfuscated PowerShell script, which is also appended to the batch file.

The batch file’s role is to deobfuscate the PowerShell script and execute it. This PowerShell script scans the content of the batch file for the value following “::“, extracts this value, decodes it, decompresses it, decrypts it, and finally executes it in memory.

Two PowerShell templates, “Qusar.Server.AESStub.ps1” and “Quasar.Server.XORStub.ps1,” exist in the resource section of the builder. Depending on the configuration, one of these will be loaded and utilized.

Conclusion

In this entry, we include a Yara rule that organizations and security teams can use to detect SeroXen obfuscated batch files. Additionally, here’s a PowerShell script that can reveal the final deobfuscated batch file and commands to be run. It is critically important that this PowerShell script be run in an isolated malware sandbox. This script can be used to deobfuscate the SeroXen batch file where security teams can inspect its output file for the PowerShell command to be executed in the deobfuscation routine. By inspecting this deobfuscated payload, the analyst can grab the Key and IV from the PowerShell command to decrypt the final payload.

Overall, SeroXen is a full-feature remote administration tool (RAT) coded in C# and built using a combination of various open-source projects that work together to generate a FUD payload. Reports have emerged of SeroXen being abused for several infections and attacks. We foresee the evolved BatCloak engine at the core of SeroXen’s FUD capabilities as the BatCloak obfuscation engine continues to evolve and be used as a FUD tool for future malware attacks.

Individuals are strongly advised to adopt a skeptical stance when encountering links and software packages associated with terms such as “cheats,” “hacks,” “cracks,” and other pieces of software related to gaining a competitive edge. Users, developers, gamers, and enthusiasts are also advised to exercise caution when executing batch files obtained from the internet. Additionally, organizations are encouraged to stay vigilant against phishing attacks that might attempt to entice users to download and run batch installers (e.g., scripting and automation of repetitive tasks).

Organizations should consider employing a cutting edge multilayered defensive strategy and comprehensive security solutions, such as Trend Micro™ XDR, that can detect, scan, and block malicious content such as SeroXen and BatCloak across the modern threat landscape. An extended detection and response capability across endpoint, servers, workloads, email, network, cloud, and identity observed from a single platform like Trend Vision One™️ can mitigate these risks by considering adversarial tactics, techniques, and procedures (TTPs) to profile the entirety of a routine. Learn more about how the Zero Day Initiative (ZDI) bug bounty program rewards researchers for responsible vulnerability disclosure as well as protects organizations globally and stay up to date on the latest news regarding mission critical security patches.

Source :
https://www.trendmicro.com/en_us/research/23/f/seroxen-incorporates-latest-batcloak-engine-iteration.html

By: Peter Girnus, Aliakbar Zahravi
June 09, 2023
Read time: 3 min (681 words)

We look into BatCloak engine, its modular integration into modern malware, proliferation mechanisms, and interoperability implications as malicious actors take advantage of its fully undetectable (FUD) capabilities.

^{UPDATE as of 6/15/2023 7:30PM (PHT): We’ve updated this entry to include indicators of compromise (IOCs) for BatCloak.}

In our recent investigation, we discovered the use of heavily obfuscated batch files utilizing the advanced BatCloak engine to deploy various malware families at different instances. Running analysis and sample collection from September 2022 to June 2023, we found that these batch files are designed to be fully undetectable (FUD) and have demonstrated a remarkable ability to persistently evade security solutions. As a result, threat actors can load various malware families and exploits by leveraging highly obfuscated batch files seamlessly. Our initial research titled “The Dark Evolution: Advanced Malicious Actors Unveil Malware Modification Progression” delves into the continuing evolution of BatCloak, uncovering the modifications that have propelled modern malware to new levels of security evasion.

This is the first entry in a three-part technical research series taking an in-depth look at the continuing evolution of the highly evasive batch obfuscation engine BatCloak. The second part of this series, “SeroXen Incorporates Latest BatCloak Engine Iteration,” will look into the remote access trojan (RAT) SeroXen, a piece of malware gaining popularity for its stealth and, in its latest iterations, targets gamers, enthusiast communities, and organizations. Aside from the RAT’s own tools, we will look into the updated BatCloak engine included as SeroXen’s loading mechanism. The third and last part of this series, “SeroXen Mechanisms: Exploring Distribution, Risks, and Impact,” will detail the distribution mechanisms of SeroXen and BatCloak. We also include our security insights on the community and demographic impact of this level of sophistication when it comes to batch FUD obfuscation.

Defying detection: A preview of BatCloak engine’s efficacy

We analyzed hundreds of batch samples sourced from a public repository. The results showed a staggering 80% of the retrieved samples exhibiting zero detections from security solutions. This finding underscores the ability of BatCloak to evade traditional detection mechanisms employed by security providers. Moreover, when considering the overall sample set of 784, the average detection rate was less than one, emphasizing the challenging nature of identifying and mitigating threats associated with BatCloak-protected pieces of malware.

Understanding the evolving landscape of advanced malware techniques such as FUD obfuscator BatCloak enables us to develop more effective strategies for combating the ever-evolving threats posed by these sophisticated adversaries. These findings highlight the pressing need for enhanced approaches to malware detection and prevention, such as a cutting-edge multilayered defensive strategy and comprehensive security solutions.

Security teams and organizations are advised to exercise a zero-trust approach. Teams should implement solutions capable of combining multiple rules, filters, and analysis techniques, including data stacking and machine learning to address the need for precise detection, as these tools can analyze individual and dynamic file signatures and observe patterns via heuristics and behavioral analysis. When uncertain of intrusions, behaviors, and routines, assume compromise or breach immediately to isolate affected artifacts or tool chains. With a broader perspective and rapid response, an organization can address these and keep the rest of its systems protected. Multilayered technologies and solutions, such as Trend Micro XDR™️, efficiently monitor, detect, and block tiered threats and attacks, as well as their clones and modified versions.

Instead of marking the end of an infection or an attack prior to the target because of siloed solutions, an extended detection and response capability across endpoint, servers, workloads, email, network, cloud, and identity observed from a single platform like Trend Vision One™️ can mitigate these risks by considering adversarial tactics, techniques, and procedures (TTPs) to profile the entirety of a routine. Trend Vision One also correlates with a connected threat intelligence system and rapidly prioritizes and responds with the necessary security and defensive actions as far left of the routine as possible.

Download the first part of our analysis on BatCloak engine here, and the indicators of compromise (IOCs) here and below :

The Dark Evolution: Advanced Malicious Actors Unveil Malware Modification Progression

BatCloak Indicators of Compromise (IOCs)

SHA256 of Trojan.BAT.BATCLOAK.A:

4981e6c42e66972a94077e3407823e212b7499f4be14c18e32e446b6bd5566d6
02169ca4a1fcaec423fdf033794f88266f1dec691ee527f91d9ef444b9e8fd00
024121ce693560695ffbb31714145647039dd0a33c7a637614ee3d408dd88c9b
02cd4e343fdfe9246977bd997ae7faa91b469df0bc9ed4c20cc2fa7898cb54e3
036132bcdc00e75dd71b6cba78c976ec50a52fd1b891a4f873bde87269007e0d
05e50707fc035d4045f52538cbd40df61bfc342ce90578780f169b0148e9e48a
06ee424a019da7a98de8ce82fde4b37037fd59f5f72ed882f63e7d054515785c
0a485b2a30d7818cadedc4b5c8d6a04cee2b4e98d58e292c4f6febc25553a43f
0ce9c7a4bc46fe2f92adf194767f02b460283ebd2100a4c4b6d9c8c03f05cc51
0e44555e8804fc351ca7b5369fef719691ebe3ac2e2dee92abe1359b06327ec3
0ea6d6a7f9532f5d6f2f1438349587aae83b7d82f7e92b3daa2b51658183308a
0f379d61a334d1cce8b67940696c527bb76392bdfae9f41bd4ea159aa0e8794e
1264fbc6fb67678c410dcea283342189c3f5a62b2cebfbbef3e5e88cae40c299
1cbab58e69089b40b0eca4aafa33bfb734707885c9d482f58da7fd2f22fa3f07
1ff46fa8630fe6104b6b31e88b4227474faa5b4891952381d745f0b6c1194d9a
2705be6a7e9fe94d0c90127bdd5cd3677af9a713b99ffaa302cd03d835b5b193
2fca9a8b9c2843001dd1f7d668f94f4aef6cf9fbfe0968dabd38c59f7ad7bf1b
378eea991cec20b879983f25c03c72d9c6492759ff0306267bb0af1934cecb5b
3ac9136078f802199506b4ce532fd221201b15d7d4eb84ce8a5128409d821c46
50e7ddd4d1fd4d6f57e5a39f9e31f20ea967a032ab60458af63bb43c0996b67b
545fa399c3d25ddeb9b1ce7dff99faf86b761937681a02377f6b22bab6953f74
57b573189433839f49b3694fb9dde7d6361a70d0d6d01b8bb5c052ac35e64966
5b1d862533bf0c6eddf0add97fe1d91f24489c9d43dba021a6cd433465abe670
5dc6ddbadfe77dae58755ab3524b8366ac52d6e4b0636cd5e88a9ee83fec93dd
66fbf321cb983176ab327c9357ab6970235263ed1f363960aa512adb255ce327
6fb3642107a5e541be64be269c91de20f10b5aba238a3552c0815ca290f0035e
720ec08526839f9f558439edeb86b0e30ed782edf0cfcc9709157e9963801a5c
735e591c7e0667087aff75f9923a7653b4f9661838e947d842171c20773a8913
73630f5690a1882296878e02fb9ef6ca8ab5f85bc60305682a872096ab59685e
7d1b4c45622ec5efebe8d6ef266a8ff8499285162305f2eb8eb3d09362b032dd
7dfe5e29b6278ddefa27217c26e09cd70c9ce2c920e30dd8e11d29b161a59fad
83046ab10ae92c337f7837191014d6f4aa792575947ad2ebbbdde247edabffad
846d4cf9af2e431ca61a7378fca693acc8cdf31348ce3bb09917de12e8a3de95
895d8257fc523a824e2eaf5a62a94e3cf2a3b87b797f696aa028f8443dd7a5e1
8ae18fc31866c3a35ede249b97457598e78cb6a0988df1dd58b9ddb1f3e88c05
8cf47ef94a01172ac5ed78fa657a2406e199691df02d58630d9b845dfd05007c
8df68758b29abe5c0807cc74221617052a175619121c1b41c1462e2e2c12d080
943c7e473924ff1efd4925eb8f2bf745008365f0256567009e5eb6d6b2f17e65
978361f5cea5e7b2ff801b74ed02a7e0a57ed80ac37c01a403b0614e789765c4
9949481d6311a298b4de1ac0d24d85583c8386bd03dc69cbb5995de475859ebc
994a9f76be5355444056833e0fdf5f9408ce6a028578571caa7eaaeb7176d50d
9c51fec7f9c7217fbaffef2e9476b1c74c6f9abdcfd68f58009307d3a1ced344
a07e12074c4013ff9a16b41822b9c2025fd42c2a6bb749f2489d533c73257bea
ab0e910f7470bbe3f612646e420836937bb26dbf87b2df48d47480d2835f384a
abd92088dc5a7a67ed7f0f27fac6b90cd3042f9c1966b3ec35798e3cf9d0b4ec
b0da1288c592b5710ec6e33f0af7dd69f3264e98c7fcdc0089e9a26e1ebf607a
b12ce995e5f3bd33f290be5ccd80ba847fcbde0d41ea53b8cb9f7f7cb25ab98d
b9077ca1640423f6b085d5b72e6bd0aac7877b6f40886db9f5e150cc5ca4bf9f
bb505db4936541c964c4f8c59e520b89ce83db76564f57548eebe8630758888a
c1e77860cd66a98f34ba4cf5bf55370d35bfba1950b6f79a84ab2f90c48fed86
c4ec0641549cdb66a8f9040a53d9ead724a0e2902866b43221e02c2c4fdcb900
c737111db0397904414e315dbe4604f1705b3cd7ee5579d6c0751752de25877d
c9259d18c1ba7e446406e206e0769ed74acc55c0cf40608c3e3d3ef6cc0e56c7
cda4e8d85f718233b93c4cfad2c28d333ffec523ebd32b1af47b6fa7c26345e6
cf8d86c39f7e76c889b6409ed9477c7b91f9424f491fb835f3643d8d55d5fd9e
d3fe2ae10b1c2dd2cf7339ba91bb4fac4454149361a3a9e8069901e3ea56ea8b
d45b5fde0b10a7d8a3227fac8b7af6f01adc8e78d6adc350588b7cebdd1c5894
d84390808d5a83d58d6f5544f9a717e736be234d18b4b607d8b8e842fb935d24
d8cde0701032e03ff9739889872547325881383791961a67ddebf07f8b80ab6a
d9afd0b9174140c001d6b0c60d02f5ba0469a14733a159c0e44045641b814aa1
daa08a205eec4e318c3f3eb6a001ec5ae16d3870ca1f05b3e8bb6838082910d9
de1356d868e63b027791957accaa3087f18901ae87eb01f6f09b7b88e6958e79
df5497ffb3b407397424ce7992ed62d8907d570668c79f9daef40863702349c0
e101b85439062a92773b046bee20d076513b81ddaa946c28096454c9fb934e19
f52ee895d9e8fd600ce4ea05d4a95443c8916af33a1b7b8b668007813fb61f8b
f62a915f1add8b29ebea13db7bc9c9314557f579631d0bebc3dc7044eaf7bbd7
f6a31c5a33d8b8dd38f39e31f27a32616cef12340c5a1b5914f8105abd22a710
fddce59e2c24f44c73c9913ca2415ec95f5a92cb2d94426aa4f8821952f2ddc2
fff222ff3c259db64dbd18e9382cc47ce8577a4069ba05b6db11b6b52d654294

Source :
https://www.trendmicro.com/en_us/research/23/f/analyzing-the-fud-malware-obfuscation-engine-batcloak.html