A sophisticated malware campaign, tracked as OBSCURE#BAT, has been identified using heavily obfuscated batch scripts to install stealthy rootkits, allowing attackers to maintain persistent access to compromised systems while avoiding detection. The OBSCURE#BAT campaign demonstrates sophisticated capabilities for monitoring user activity, with the malware regularly capturing clipboard contents and command history, storing this data in hidden files for later exfiltration. “The PowerShell executed in the next stage performs key tasks,” notes the Securonix report, including anti-analysis checks that verify system hardware to detect forensic environments. This campaign uses social engineering tactics and deceptive file downloads to trick users into executing malicious code, which then sets off a complex chain of infections resulting in a user-mode rootkit deployment. The malware then leverages AES encryption to decrypt and execute encoded payloads directly in memory through reflection techniques, avoiding writing files to disk. Additionally, the malware drops a malicious driver file (ACPIx86.sys) into the system directory and registers it as a legitimate Windows service. The infection begins when unsuspecting victims execute malicious batch files, often disguised as legitimate software installations or fake captcha verification prompts. Analysts at Securonix have identified that the malware employs multiple obfuscation techniques, including string concatenation and character replacements, to evade detection. This rootkit hides files, registry entries, and running processes that match a specific pattern (“\$nya-“), making them invisible to Task Manager, Explorer, and command-line tools. Once executed, these files initiate a series of environment variable manipulations and PowerShell commands to deploy next-stage payloads while simultaneously deleting themselves to remove evidence of the initial infection. The malware creates hidden scheduled tasks named “\$nya-qX6Pb164” configured to run at each user logon with highest available privileges. The malware establishes persistence through multiple avenues, primarily utilizing Windows registry and scheduled tasks. It stores obfuscated PowerShell scripts in registry locations such as “HKLM\SOFTWARE\OOhhhm” and “HKU\S-1-5-21-…-1001\Environment\onimaiuc” that automatically execute when referenced as environment variables. The initial batch files score remarkably low on antivirus detection, with only 0-2 detections on platforms like VirusTotal, despite their malicious nature. What makes OBSCURE#BAT particularly dangerous is its implementation of the r77 rootkit, which systematically conceals malicious artifacts from standard system tools. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 13 Mar 2025 07:45:08 +0000