A nascent surge of malevolent software activity has been discerned, cunningly exploiting manipulative social engineering stratagems to disseminate the open-source rootkit, r77.
This endeavor, denominated OBSCURE#BAT by Securonix, empowers cyber adversaries to entrench enduring footholds and deftly elude systematic scrutiny within infiltrated systems. The architects behind this campaign remain shrouded in enigma.
In an incisive dispatch relayed to The Hacker News, security analysts Den Iuzvyk and Tim Peck expounded that the rootkit wields the capability to enshroud any file, registry element, or scheduled task that commences with a prescribed prefix. It artfully masquerades as bona fide software distributions or ensnares users through counterfeit CAPTCHA deceptions.
The stratagem is meticulously orchestrated against anglophone cohorts, with a pronounced emphasis on regions such as the United States, Canada, Germany, and the United Kingdom.
The moniker OBSCURE#BAT emanates from the assault’s genesis—an intricately obfuscated Windows batch script that, in succession, invokes a series of PowerShell directives to initiate a multi-tiered cascade, culminating in the rootkit’s deployment.
Investigations have elucidated at least two disparate ingress conduits devised to coerce unsuspecting users into executing these nefarious batch scripts. One avenue capitalizes on the notorious ClickFix maneuver, diverting targets to a spurious Cloudflare CAPTCHA validation portal; the alternate path surreptitiously markets the malware as legitimate utilities—ranging from Tor Browser and VoIP applications to messaging clients.
Although the precise methodology for luring victims remains nebulous, it is postulated that time-honored techniques such as malvertising and search engine optimization (SEO) poisoning are instrumental in this duplicitous plot.
Irrespective of the chosen vector, the primary payload is encapsulated within an archive containing the obfuscated batch script. This script subsequently summons PowerShell commands to deploy auxiliary scripts, reconfigure Windows Registry settings, and institute scheduled tasks to secure a persistent presence.
Experts have noted that the malware clandestinely archives its cryptic scripts within the Windows Registry, orchestrating their covert activation through scheduled tasks to operate inconspicuously in the background. Furthermore, it amends system registry keys to incorporate a counterfeit driver (ACPIx86.sys), thereby fortifying its integration within the host.
A sophisticated .NET payload, unfurled amid the offensive, adeptly harnesses a medley of evasion techniques—spanning control-flow camouflage, string encryption, and the intermingling of function nomenclature adorned with Arabic, Chinese, and eclectic symbols—to confound detection efforts.
Supplementing this, another payload—disseminated via PowerShell—comprises an executable that leverages Antimalware Scan Interface (AMSI) patching, thereby surmounting conventional antivirus safeguards.
In culmination, the .NET payload orchestrates the insertion of a system-mode rootkit, dubbed “ACPIx86.sys”, into the “C:\Windows\System32\Drivers” directory, where it is initiated as a service. Concurrently, a user-mode rootkit, r77, is deployed to cement persistence on the compromised host while concealing files, processes, and registry keys conforming to the signature ($nya-).
Moreover, the malware intermittently scrutinizes clipboard interactions and command histories, archiving these data streams within clandestinely concealed files—ostensibly primed for exfiltration.
Researchers have succinctly characterized OBSCURE#BAT as epitomizing an extraordinarily elusive attack continuum, adroitly melding obfuscation, furtive stratagems, and API hooking to maintain persistence within compromised systems, all while artfully eluding detection.
From the initiation of the obfuscated batch script (install.bat) to the orchestration of scheduled tasks and registry-resident scripts, the malware meticulously ensures unyielding persistence—even across system reboots. By surreptitiously infiltrating critical processes such as winlogon.exe, it deftly distorts process behaviors, further confounding detection protocols.
These insights coincide with contemporaneous revelations by Cofense, which delineated a Microsoft Copilot impersonation campaign employing phishing missives to direct users to a counterfeit landing page for an AI assistant, meticulously engineered to pilfer user credentials and two-factor authentication (2FA) tokens.
