A sophisticated malware campaign dubbed OBSCURE#BAT has been discovered targeting users through deceptive tactics to deploy a user-mode rootkit capable of hiding malicious activities from detection. Security researchers from Securonix Threat Research team identified this stealthy operation which uses social engineering and fake software downloads to infect systems.
The campaign employs multiple initial infection vectors to trick users into executing malicious code. One primary method involves presenting victims with fake CAPTCHA verification pages that appear to be legitimate Cloudflare security checks. When users attempt to verify they are human by clicking a checkbox, malicious code is copied to their clipboard with instructions to paste it into the Windows Run dialog box.
Additionally, the attackers distribute the malware by masquerading as legitimate software, including SIP (VoIP) tools, Tor Browser, Adobe applications, and various messaging clients. These fake downloads contain obfuscated batch files that initiate the infection chain.
What makes OBSCURE#BAT particularly dangerous is its multi-layered approach to evade detection. The infection begins with highly obfuscated batch scripts exceeding 6MB in size, filled with thousands of lines of meaningless variables to thwart analysis. These scripts have consistently scored extremely low detection rates on virus scanning platforms, with most samples receiving only 0-2 detections.
The batch script initiates a complex sequence of PowerShell commands which deploy additional payloads while establishing persistence through multiple methods. A key component of this malware is its ability to inject malicious PowerShell code into the Windows Registry, creating values under specific keys that can be executed silently when called.
PowerShell obfuscation in Invoke-Expressions (Source Securonix)
"The malware stores obfuscated scripts in the Windows Registry and ensures execution via scheduled tasks, allowing it to run stealthily in the background," the researchers explained. "Additionally, it modifies system registry keys to register a fake driver (ACPIx86.sys), further embedding itself into the system."
The most alarming aspect of this campaign is the deployment of a user-mode rootkit identified as r77. This rootkit has been modified to hide any files, registry keys, or processes that begin with the "$nya-" prefix. Through API hooking techniques, the malware renders its components invisible to standard Windows tools including Task Manager, Explorer, and command-line utilities.
Security researchers observed the malware creating hidden scheduled tasks marked with the "$nya-" prefix that remain undetectable through conventional means. These tasks ensure that the malware persists after system reboots and continues operating without detection.
The rootkit also enables the attackers to monitor user activities, including capturing clipboard content and command history, which is stored in encrypted files for later exfiltration. This data collection functionality allows the threat actors to steal sensitive information, including potentially capturing credentials or other valuable data.
While the identity of the threat actors behind OBSCURE#BAT remains unknown, telemetry data suggests the campaign primarily targets English-speaking users in regions including the United States, Canada, Germany, and the United Kingdom.
Security experts recommend maintaining vigilance against social engineering attacks, verifying software downloads come from legitimate sources, and being cautious of any CAPTCHA verification that requests execution of code. Organizations should implement robust endpoint monitoring to detect the unique behaviors associated with this malware campaign.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles: Here are the 5 most contextually relevant blog posts:
Anthony Denis a Security News Reporter with a Bachelor's in Business Computer Application. Drawing from a decade of digital media marketing experience and two years of freelance writing, he brings technical expertise to cybersecurity journalism. His background in IT, content creation, and social media management enables him to deliver complex security topics with clarity and insight.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.