OBSCURE#BAT Malware Uses Fake CAPTCHA Pages to Deploy Rootkit r77 and Evade Detection

A new malware campaign has been observed leveraging social engineering tactics to deliver an open-source rootkit called r77.

The activity, condemned OBSCURE#BAT by Securonix, enables threat actors to establish persistence and evade detection on compromised systems. It’s currently not known who is behind the campaign.

The rootkit “has the ability to cloak or mask any file, registry key or task beginning with a specific prefix,” security researchers Den Iuzvyk and Tim Peck said in a report shared with The Hacker News. “It has been targeting users by either masquerading as legitimate software downloads or via fake captcha social engineering scams.”

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

The campaign is designed to mainly target English-speaking individuals, particularly the United States, Canada, Germany, and the United Kingdom.

OBSCURE#BAT gets its name from the fact that the starting point of the attack is an obfuscated Windows batch script that, in turn, executes PowerShell commands to activate a multi-stage process that culminates in the deployment of the rootkit.

At least two different initial access routes have been identified to get users to execute the malicious batch scripts: One which uses the infamous ClickFix strategy by directing users to a fake Cloudflare CAPTCHA verification page and a second method that employs advertising the malware as legitimate tools like Tor Browser, VoIP software, and messaging clients.

While it’s not clear how users are lured to the booby-trapped software, it’s suspected to involve tried-and-tested approaches like malvertising or search engine optimization (SEO) poisoning.

Regardless of the method used, the first-stage payload is an archive containing the batch script, which then invokes PowerShell commands to drop additional scripts, make Windows Registry modifications, and set up scheduled tasks for persistence.

“The malware stores obfuscated scripts in the Windows Registry and ensures execution via scheduled tasks, allowing it to run stealthily in the background,” the researchers said. “Additionally, it modifies system registry keys to register a fake driver (ACPIx86.sys), further embedding itself into the system.”

Deployed over the course of the attack is a .NET payload that employs a bevy of tricks to evade detection. This includes control-flow obfuscation, string encryption, and using function names that mix Arabic, Chinese, and special characters.

Another payload loaded by means of PowerShell is an executable that makes use of Antimalware Scan Interface (AMSI) patching to bypass antivirus detections.

The .NET payload is ultimately responsible for dropping a system-mode rootkit named “ACPIx86.sys” into the “C:\Windows\System32\Drivers\” folder, which is then launched as a service. Also delivered is a user-mode rootkit referred to as r77 for setting up persistence on the host and hiding files, processes, and registry keys matching the pattern ($nya-).

The malware further periodically monitors for clipboard activity and command history and saves them into hidden files for likely exfiltration.

“OBSCURE#BAT demonstrates a highly evasive attack chain, leveraging obfuscation, stealth techniques, and API hooking to persist on compromised systems while evading detection,” the researchers said.

“From the initial execution of the obfuscated batch script (install.bat) to the creation of scheduled tasks and registry-stored scripts, the malware ensures persistence even after reboots. By injecting into critical system processes like winlogon.exe, it manipulates process behavior to further complicate detection.”

The findings come as Cofense detailed a Microsoft Copilot spoofing campaign that utilizes phishing emails to take users to a fake landing page for the artificial intelligence (AI) assistant that’s engineered to harvest users’ credentials and two-factor authentication (2FA) codes.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.