A newly discovered malware campaign, dubbed OBSCURE#BAT, is using fake CAPTCHA to deliver the open-source rootkit r77, allowing attackers to establish persistence and evade detection on infected systems. The cybersecurity firm Securonix uncovered this campaign, though the perpetrators remain unidentified.
How OBSCURE#BAT Malware Operates
OBSCURE#BAT gets its name from its obfuscated Windows batch script, which initiates the attack by executing PowerShell commands. This multi-stage attack culminates in the deployment of the r77 rootkit, which conceals files, registry keys, and processes associated with the malware.
The campaign primarily targets English-speaking users in the U.S., Canada, Germany, and the U.K. by masquerading as legitimate software downloads or employing fake CAPTCHA verification pages to trick victims into executing malicious scripts.
Initial Infection Methods
Researchers identified two primary delivery methods for OBSCURE#BAT:
- Fake CAPTCHA Pages: Victims are directed to fraudulent Cloudflare CAPTCHA verification pages, which prompt them to execute malware.
- Malware Disguised as Legitimate Software: The malware is promoted as Tor Browser, VoIP software, and messaging clients, leveraging SEO poisoning and malvertising to reach unsuspecting users.
Once executed, the first-stage payload (a compressed archive) contains an obfuscated batch script, which:
- Executes PowerShell commands to drop additional scripts.
- Modifies Windows Registry settings to embed malicious scripts.
- Creates scheduled tasks to maintain persistence even after system reboots.
Evasion and Persistence Techniques
OBSCURE#BAT employs multiple obfuscation techniques to evade detection, including:
- Control-flow obfuscation and string encryption in its .NET payload.
- Mixing Arabic, Chinese, and special characters in function names to evade static analysis.
- AMSI patching to bypass antivirus detections.
The malware eventually drops ACPIx86.sys, a system-mode rootkit, into the Windows System32 Drivers folder and launches it as a service. Additionally, it installs the r77 user-mode rootkit, which conceals:
- Files
- Processes
- Registry keys matching the pattern ($nya-)
To enhance persistence, OBSCURE#BAT:
- Stores obfuscated scripts in the Windows Registry.
- Registers a fake driver (ACPIx86.sys) to embed itself deeper into the system.
- Injects into winlogon.exe, complicating detection efforts.
Potential Impact and Risks
OBSCURE#BAT monitors:
- Clipboard activity
- Command history
- Hidden files for exfiltration
By leveraging stealth techniques, API hooking, and persistence mechanisms, the malware ensures it remains active while bypassing security defenses.
Protecting Against OBSCURE#BAT
Cybersecurity experts recommend the following measures to mitigate the risk:
- Avoid downloading software from unofficial sources.
- Be cautious of CAPTCHA verification requests on unknown sites.
- Monitor system processes for unauthorized registry modifications.
- Enable advanced endpoint detection to spot obfuscation techniques.
- Regularly update security software to detect emerging threats.
OBSCURE#BAT demonstrates the growing sophistication of malware campaigns that utilize social engineering, rootkits, and evasion techniques to compromise systems. With cybercriminals continuously refining their attack methods, organizations must remain proactive in cybersecurity defense strategies to mitigate these evolving threats.
As threats continue to evolve, cybersecurity awareness and strong security protocols remain crucial in protecting users and businesses from emerging malware campaigns like OBSCURE#BAT.
For more cybersecurity news, click here.
