BatCloak Malware

Cybersecurity analysts have unearthed a sophisticated multi-phased assault employing invoice-themed phishing lures as the vehicle for dispensing an array of threatening software, including the VenomRAT, the RemcosRAT, the XWormRAT, the NanoCore RAT and a crypto wallet-targeting stealer.

These fraudulent emails contain attachments in the form of Scalable Vector Graphics (SVG) files. Once opened, these files trigger a sequence of infections. Noteworthy in this operation is the utilization of the BatCloak malware obfuscation engine and ScrubCrypt to disseminate the malware through obfuscated batch scripts.

The BatCloak Malware Facilitates the Delivery of Next-Stage Payloads

BatCloak, available for purchase by other threat actors since late 2022, originates from a tool known as Jlaive. Its main function is to facilitate the loading of a subsequent-stage payload in a manner that evades conventional detection methods.

ScrubCrypt, initially identified by researchers in March 2023 during a cryptojacking campaign orchestrated by the 8220 Gang, is believed to be one of the iterations of BatCloak, as per findings by Trend Micro last year.

In the most recent campaign scrutinized by cybersecurity specialists, the SVG file acts as a conduit for deploying a ZIP archive containing a batch script likely crafted using BatCloak. This script then unpacks the ScrubCrypt batch file to ultimately execute Venom RAT after establishing persistence on the host and implementing measures to bypass AMSI and ETW protections.

Cybercriminals Deploy Numerous Malware Threats via BatCloak

An offshoot of the Quasar RAT, the Venom RAT empowers attackers to take hold of compromised systems, harvest sensitive data, and execute commands from a Command-and-Control (C2) server. Although the Venom RAT's core functionality may seem straightforward, it establishes communication channels with the C2 server to procure additional plugins for diverse activities. These encompass Venom RAT v6.0.3, which is equipped with keylogger capabilities, as well as the NanoCore RAT, XWorm, and Remcos RAT. The Remcos RAT plugin is disseminated from VenomRAT's C2 through three methods: an obfuscated VBS script named 'remcos.vbs,' ScrubCrypt and the GuLoader PowerShell.

Also distributed via the plugin system is a stealer that scavenges system information and siphons data from folders linked with wallets and applications such as Atomic Wallet, Electrum, Ethereum, Exodus, Jaxx Liberty (discontinued as of March 2023), Zcash, Foxmail and Telegram to a remote server.

The documented sophisticated attack operation employs multiple layers of obfuscation and evasion tactics to disseminate and execute VenomRAT via ScrubCrypt. The perpetrators utilize various means, including phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell, to breach and compromise victim systems. Furthermore, the deployment of plugins through diverse payloads underscores the versatility and adaptability of the attack campaign.