A new malware campaign has been observed that leverages social engineering tactics to provide an open source rootkit called the R77.
This activity, which denounced the ambiguous #BAT by Securonix, allows threat actors to establish persistence in the compromised system and avoid detection. It is currently unknown who is behind the campaign.
The rootkit “has the ability to MacCaulk or mask files, registry keys, or tasks starting with a specific prefix,” security researchers Den iuzvyk and Tim Peck said in a report shared with Hacker News. “We’re targeting users, either under the guise of legal software downloads or via fake Captcha social engineering scams.”
The campaign is designed primarily to target English-speaking individuals, particularly the US, Canada, Germany and the UK.
Obscure#BAT gets its name from the fact that the starting point of the attack is an obfuscated Windows batch script. This executes a PowerShell command to activate a multi-stage process that reaches its peak in a RootKit expansion.
At least two different initial access routes have been identified to allow users to run malicious batch scripts. One is the second way to employ malware as a legitimate tool, such as the Tor browser, VoIP software, messaging clients, using the infamous Clickfix strategy by directing users to a fake CloudFlare Captcha validation page.
It is not clear how users are being invited by software trapped in booby, but it is suspected to involve proven approaches such as fraud and search engine optimization (SEO) addiction.
Regardless of how you use it, the first stage payload is an archive containing batch scripts, invoking PowerShell commands to drop additional scripts, making changes to the Windows registry, and setting up scheduled tasks for persistence.
“Malware stores scripts in an esoteric way in the Windows registry, ensuring they run through scheduled tasks, allowing them to be secretly executed in the background,” the researchers said. “In addition, we will change the system registry key to register a fake driver (ACPIX86.SYS) and embed it further into the system.”
What unfolded during the course of the attack was a .NET payload that uses many tricks to avoid detection. This includes controlling flow obfuscation, string encryption, and using feature names that mix Arabic, Chinese and special characters.
Another payload loaded by PowerShell is executable, using an anti-malware scan interface (AMSI) patch to bypass anti-virus detection.
The .NET payload is responsible for dropping a system mode rootkit named “acpix86.sys” into the “c:\windows\system32\drivers\” folder. It also delivers a user-mode rootkit called R77 to hide files, processes, and registry keys that match the pattern ($nya-).
Malware also regularly monitors monitors for clipboard activity and command history, saving them in hidden files, possibly filtering them out.
“Obscure#BAT demonstrates a highly evasive attack chain and leverages observation, stealth technology and API hooks to sustain on compromised systems while avoiding detection,” the researchers said.
“From the initial execution of an obfuscated batch script (install.bat) to the creation of scheduled tasks and registry-saved scripts, malware ensures persistence even after a reboot. By injecting critical system processes such as Winlogon.exe, you can manipulate the behavior of the process to further manipulate complex detection.”
The findings occurred as Cofense details the Microsoft Copilot Spoofing campaign, where users are using phishing emails to take users to fake landing pages of artificial intelligence (AI) assistants designed to harvest user qualifications and two-factor authentication (2FA) codes.
Source link
