FUD BatCloak Engine: able to evade the main antivirus
BatCloak: the new obfuscation engine that beats 80% of antiviruses
Trend Micro researchers reported in a recent report that since September 2022, attackers have been actively using a malware obfuscation engine called BatCloak, which allows cybercriminals to effectively hide malicious code from antivirus solutions.
What is Malware?
Malware is any type of software created to damage or exploit other software or hardware components. A contraction for "malicious software," malware is a collective term used to describe viruses, ransomware, spyware, Trojans, and any other type of code or software created with malicious intent.
It is precisely malicious intent that characterizes the definition of malware: the purpose of malware is the damage it can inflict on a computer, computer system, server or network. These are the ways and reasons that distinguish one type of malware from another.
According to experts, with BatCloak, attackers can easily download different families of malware. Of the 784 malware found, nearly 80% were not detected by any of the antivirus engines.
BatCloak is the basis for a program creation tool called Jlaive that can bypass the Antimalware Scan Interface and compress and encrypt core malicious programs to increase evasion rates.
The Jlaive tool was released on public domain sites in September 2022 by a developer under the pseudonym ch2sh. It has since been copied, modified and ported to other programming languages.
BatCloak has received many updates and adaptations since it first appeared. Its latest version is called ScrubCrypt and was isolated by Fortinet experts during an investigation.
“The decision to switch from an open to a closed framework, made by the developer ScrubCrypt, can be explained by the results of previous projects, such as Jlaive, as well as the desire to monetize the project and protect it from unauthorized copying,” Trend experts suggested Micro.
In computer science, a framework is a system that allows you to extend the functionality of the programming language on which it is based, providing the developer with a coherent and effective structure in order to carry out actions and commands quickly and easily.
In essence, a framework can be defined as a set of functions and tools that are already "ready to use", i.e. that can be used without having to design them from scratch every time.
“The evolution of BatCloak highlights the flexibility and adaptability of this engine and highlights the development of obfuscators,” concluded the researchers.
How to mitigate this threat?
To mitigate the risk, you must constantly update the definition of the detections on the protection program that you use. It is necessary to adopt, from time to time, the new indicators of compromise that researchers publicly release.
Comments