Thursday, May 8, 2025
Homecyber securityNew OBSCURE#BAT Exploit Windows Alters System Processes & Registry for Evasion

New OBSCURE#BAT Exploit Windows Alters System Processes & Registry for Evasion

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity researchers at Securonix have identified an advanced malware campaign that employs social engineering tactics and heavily obfuscated code to deploy rootkits capable of cloaking malicious activities on compromised systems.

Dubbed OBSCURE#BAT, the campaign targets English-speaking users through various deception techniques, ultimately installing a user-mode rootkit that can hide files, registry entries, and processes from standard detection methods.

The malware has been observed targeting users across the United States, Canada, Germany, and the United Kingdom, using sophisticated techniques to maintain persistence once installed.

- Advertisement - Google News

According to researchers Den Iuzvyk and Tim Peck from the Securonix Threat Research team, this attack represents a concerning evolution in stealth malware techniques aimed at evading modern security solutions.

Deceptive Social Engineering Lures Users Into Executing Malicious Code

The OBSCURE#BAT attack begins with one of two primary infection vectors designed to trick users into executing malicious batch scripts.

In the first method, attackers deploy fake Cloudflare CAPTCHA verification screens on typosquatted domains that resemble legitimate websites.

When users attempt to verify they are human by clicking the checkbox, malicious code is copied to their clipboard.

Users are then instructed to press Windows+R and paste the code into the Run dialog box, unwittingly executing the malware’s initial payload.

Initial code execution

“The idea behind this social engineering scam is to trick the user into executing malicious code by masquerading as a legitimate Cloudflare captcha,” explain the Securonix researchers in their detailed analysis published today.

The second infection method involves disguising the malware as legitimate software downloads.

Researchers discovered malicious files masquerading as SIP (VoIP) software, Tor Browser, Adobe applications, and other popular networking and messaging tools.

The initial file, often a seemingly innocuous batch file within a ZIP archive, kicks off a sophisticated infection chain that has proven extremely difficult for security tools to detect.

At the time of analysis, the malicious batch files scored remarkably low detection rates on VirusTotal, with only 0-2 security solutions identifying them as malicious.

VirusTotal detections for install.bat

This low detection rate is achieved through extensive obfuscation techniques that include thousands of lines of variable definitions and character substitutions designed to thwart security analysis.

Sophisticated Rootkit Deploys Advanced Stealth Mechanisms

Once executed, the malicious batch file initiates a chain of events that ultimately deploys the r77 rootkit, a user-mode rootkit capable of hiding malicious activities using API hooking techniques.

sip.zip file contents – install.bat

The initial batch script, often exceeding 6MB in size due to extensive obfuscation, deploys PowerShell commands that decrypt and execute embedded payloads.

These PowerShell scripts perform anti-analysis checks, such as verifying specific hardware configurations, before continuing the infection process.

The malware establishes persistence by injecting malicious code into the Windows Registry and creating hidden scheduled tasks that execute at system startup.

What makes OBSCURE#BAT particularly dangerous is its ability to completely hide its presence on infected systems.

PowerShell execution – Windows registry injection

The rootkit modifies any files, processes, or registry entries that begin with the “$nya-” prefix, making them invisible to standard Windows tools including Task Manager, Explorer, and command-line utilities.

“The infected system prevents visibility of any files, processes or registry keys matching the ‘$nya-‘ prefix,” note the researchers.

This sophisticated hiding technique extends to scheduled tasks and even allows the malware to register a fake driver called “ACPIx86.sys” that further embeds itself into the system.

The malware also monitors user clipboard activity and command history, saving this information into hidden files for later exfiltration to command and control servers.

 Files containing encrypted user data

Detection Challenges and Protective Measures Against Emerging Threat

Security professionals face significant challenges detecting OBSCURE#BAT due to its multi-layered evasion techniques.

The malware employs multiple obfuscation methods, including string manipulation, API hooking, and AMSI (Antimalware Scan Interface) bypassing, which allows it to circumvent standard antivirus detections.

Additionally, the reflectively loaded .NET payload begins communication with command and control servers immediately after execution, connecting to IP addresses associated with the open-source QuasarRAT remote access tool.

.NET AMSI bypass

Securonix researchers recommend maintaining vigilance against social engineering attacks, particularly fake CAPTCHA verifications that prompt users to execute code.

“A legitimate captcha will never copy code to your clipboard and prompt execution,” they emphasize.

Users should verify software downloads come from legitimate websites and inspect batch files in text editors before execution.

For organizations, deploying robust endpoint logging solutions such as Sysmon and PowerShell logging can enhance detection capabilities.

The researchers have also provided specific hunting queries to help security teams identify potential OBSCURE#BAT infections on their networks.

While attribution remains unclear, the sophistication of this campaign indicates a well-resourced threat actor targeting English-speaking users.

As rootkit-based attacks continue to evolve, security experts recommend implementing defense-in-depth strategies that include user education, endpoint protection, and advanced monitoring capabilities.

The discovery of OBSCURE#BAT serves as a reminder that even as security tools advance, attackers continue developing increasingly sophisticated methods to evade detection and maintain persistent access to compromised systems.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Kaaviya
Kaaviya
Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Latest articles

Researchers Turn the Tables: Scamming the Scammers in Telegram’s PigButchering Scheme

Cybersecurity specialists have devised an innovative approach to combat an emerging cybercrime called "PigButchering"...

New Spam Campaign Leverages Remote Monitoring Tools to Exploit Organizations

A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco...

New Attack Exploits X/Twitter Ad URL Feature to Deceive Users

Silent Push Threat Analysts have recently exposed a sophisticated financial scam leveraging a vulnerability...

Guess Which Browser Tops the List for Data Collection!

Google Chrome has emerged as the undisputed champion of data collection among 10 popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Researchers Turn the Tables: Scamming the Scammers in Telegram’s PigButchering Scheme

Cybersecurity specialists have devised an innovative approach to combat an emerging cybercrime called "PigButchering"...

New Spam Campaign Leverages Remote Monitoring Tools to Exploit Organizations

A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco...

New Attack Exploits X/Twitter Ad URL Feature to Deceive Users

Silent Push Threat Analysts have recently exposed a sophisticated financial scam leveraging a vulnerability...