A fresh malware strategy has been observed employing social architectural tactics to provide an open-source rootkit called .
The action, condemned OBSCURE#BAT by Securonix, enables danger actors to create persistence and escape detection on affected systems. It’s now never known who is behind the strategy.
The rootkit “has the ability to cloak or face any record, registration code or process beginning with a particular prefix”, security researchers Den Iuzvyk and Tim Peck in a report shared with The Hacker News. ” It has been targeting people by either masquerading as legitimate program files or via fake login social executive schemes”.
The plan is designed to largely targeted English-speaking individuals, particularly the United States, Canada, Germany, and the United Kingdom.
OBSCURE#BAT gets its name from the fact that the starting point of the attack is an opaque Windows sample script that, in turn, performs PowerShell commands to activate a multi-stage process that results in the implementation of the rootkit.
At least two different original access routes have been identified to get users to execute the malignant batch scripts: One which uses the infamous strategy by directing users to a false Cloudflare CAPTCHA verification page and a second method that employs advertising the malware as genuine tools like Tor Browser, VoIP software, and messaging clients.
While it’s not clear how users are lured to the booby-trapped software, it’s suspected to involve tried-and-tested approaches like malvertising or search engine optimization ( SEO ) poisoning.
Regardless of the method used, the first-stage payload is an archive containing the batch script, which finally invokes PowerShell commands to cut more scripts, make Windows Registry modifications, and set up planned tasks for persistence.
” The malware stores obfuscated scripts in the Windows Registry and ensures execution via scheduled tasks, allowing it to run stealthily in the background”, the researchers said. ” Additionally, it modifies system registry keys to register a fake driver (ACPIx86. sys ), further embedding itself into the system”.
Deployed over the course of the attack is a.NET payload that employs a bevy of tricks to evade detection. This includes control-flow obfuscation, string encryption, and using function names that mix Arabic, Chinese, and special characters.
Another payload loaded by means of PowerShell is an executable that makes use of Antimalware Scan Interface ( ) patching to bypass antivirus detections.
The.NET payload is ultimately responsible for dropping a system-mode rootkit named “ACPIx86. sys” into the” C: WindowsSystem32Drivers ” folder, which is then launched as a service. Also delivered is a user-mode rootkit referred to as r77 for setting up persistence on the host and hiding files, processes, and registry keys matching the pattern ($ nya-).
The malware further periodically monitors for clipboard activity and command history and saves them into hidden files for likely exfiltration.
” OBSCURE#BAT demonstrates a highly evasive attack chain, leveraging obfuscation, stealth techniques, and API hooking to persist on compromised systems while evading detection”, the researchers said.
” From the initial execution of the obfuscated batch script ( install. bat ) to the creation of scheduled tasks and registry-stored scripts, the malware ensures persistence even after reboots. By injecting into critical system processes like winlogon. exe, it manipulates process behavior to further complicate detection”.
The findings come as Cofense a Microsoft Copilot spoofing campaign that utilizes phishing emails to take users to a fake landing page for the artificial intelligence ( AI ) assistant that’s engineered to harvest users ‘ credentials and two-factor authentication ( 2FA ) codes.