Batcloak

Malware updated 4 months ago (2024-05-04T16:39:22.093Z)

Download STIX

Preview STIX

BatCloak is a fully undetectable (FUD) malware obfuscation engine that has been used by threat actors to stealthily deliver their malware since September 2022. The BatCloak engine was initially part of an FUD builder named Jlaive, which began circulating in 2022. Although the Jlaive code repository appears to be abandoned, researchers discovered that BatCloak had its own standalone repository, with threat actors behind Jlaive contributing to numerous iterations and adaptations of the BatCloak engine. This engine is known for using heavily obfuscated batch files to deploy various malware families, effectively evading detection by antivirus programs. The inclusion of SeroXen and BatCloak in the arsenal of malicious actors underscores the evolution of FUD obfuscators with a low barrier to entry. In June 2023, Trend Micro researchers detailed how multiple threat actors were using the malware obfuscation engine BatCloak. The first entry of a three-part technical analysis titled "The Dark Evolution: Advanced Malicious Actors Unveil Malware Modification Progression" delved into the evolution of the BatCloak obfuscation engine. The second part, titled "SeroXen Incorporates Latest BatCloak Engine Iteration," discussed the SeroXen malware and its use of the latest iteration of BatCloak to generate an FUD ".bat" loader. BatCloak has been implicated in several campaigns, including one where it was used alongside another malware obfuscation engine called ScrubCrypt to distribute malware through obfuscated batch scripts. An updated version of ScrubCrypt, also known as BatCloak, was reported by the HUMAN Satori Threat Intelligence Team to be delivering the RedLine stealer malware. When targeted users open a specific SVG file, the ECMAScript creates a new blob and uses "window.URL.createObjectURL" to drop the decoded data as a ZIP file. The decompressed file reveals an obfuscated batch file with an embedded payload, presumably created by the BatCloak tool, which distributes malware while effectively evading detection by antivirus programs.

Description last updated: 2024-05-04T16:07:34.522Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Scrubcrypt	3	ScrubCrypt is a sophisticated malware that has been used as a delivery mechanism for other malicious software, notably VenomRAT. The malware operates by exploiting systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside the system, ScrubCrypt can disrupt
Seroxen	3	SeroXen is a potent malware that has been discovered in malicious NuGet packages, infecting developer systems. The Remote Access Trojan (RAT) was first identified by the DevSecOps company Phylum and is being delivered through typosquatted NuGet packages. Additionally, SeroXen has been found to targe
Jlaive	3	Jlaive is a malware that began circulating in 2022, primarily known for its obfuscation algorithm powered by the BatCloak engine. The malware was designed to evade antivirus software by converting executables into undetectable batch files. The creator, identified as ch2sh, made significant contribut

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Remcos

Antivirus

Ransomware

Payload

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Mallox	Unspecified	2	Mallox is a potent and evolving malware, first identified in 2021, that operates primarily as ransomware. It infiltrates networks predominantly via SQL servers, encrypts victims' files, and appends various extensions such as .ma1x0, .cookieshelper, and .karsovrop. Upon successful encryption, Mallox
Targetcompany	Unspecified	2	TargetCompany is a known malware entity, often referred to as Mallox, Tohnichi, or Fargo in various articles and blog posts. This malicious software is designed to infiltrate and damage computer systems, often without the user's knowledge. It can enter systems through suspicious downloads, emails, o

Source Document References

Information about the Batcloak Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Newly Uncovered ThirdEye Windows-Based Malware Steals Sensitive Data
CERT-EU	9 months ago	Researchers Unveal GuLoader Malware's Latest Anti-Analysis Techniques
DARKReading	5 months ago	Cagey Phishing Attack Drops Multiple RATs to Steal Data
Securityaffairs	5 months ago	ScrubCrypt used to drop VenomRAT along with many malicious plugins
Fortinet	5 months ago	ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins \| FortiGuard Labs
Trend Micro	a year ago	TargetCompany Ransomware Abuses FUD Obfuscator Packers
Trend Micro	a year ago	SeroXen Mechanisms: Exploring Distribution, Risks, and Impact
CERT-EU	a year ago	New Yashma Ransomware Variant Targets Multiple English-Speaking Countries
CERT-EU	a year ago	TargetCompany Ransomware Deploy Fully Undetectable Malware on SQL Server
BankInfoSecurity	a year ago	Breach Roundup: European Investment Bank Suffers Cyberattack
DARKReading	a year ago	Mallox Ransomware Group Revamps Malware Variants, Evasion Tactics
CERT-EU	a year ago	New Mystic Stealer Malware Targets 40 Web Browsers and 70 Browser Extensions
Securityaffairs	a year ago	FUD Malware obfuscation engine BatCloak continues to evolve
CERT-EU	a year ago	The Good, the Bad and the Ugly in Cybersecurity - Week 24 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
Trend Micro	a year ago	SeroXen Incorporates Latest BatCloak Engine Iteration
CERT-EU	a year ago	Obfuscation tool 'BatCloak’ can evade 80% of AV engines
CERT-EU	a year ago	Obfuscation tool 'BatCloak’ can evade 80% of AV engines
CERT-EU	a year ago	Cybercriminals Using Powerful BatCloak Engine to Make Malware Fully Undetectable – GIXtools
Trend Micro	a year ago	Analyzing the FUD Malware Obfuscation Engine BatCloak