A recently discovered malware campaign is utilizing social engineering tactics to deliver an open-source rootkit known as r77, which enables threat actors to maintain persistence and evade detection on compromised systems.
This campaign, dubbed OBSCURE#BAT by Securonix, has an unknown perpetrator. The rootkit has the capacity to cloak or mask any file, registry key, or task beginning with a specific prefix, according to security researchers Den Iuzvyk and Tim Peck in a report shared with The Hacker News. The campaign primarily targets English-speaking individuals, especially in the United States, Canada, Germany, and the United Kingdom, often by disguising itself as legitimate software downloads or using fake captcha social engineering scams.
The name OBSCURE#BAT originates from the fact that the attack begins with an obfuscated Windows batch script, which then executes PowerShell commands to initiate a multi-stage process that ultimately results in the deployment of the rootkit.
At least two initial access routes have been identified to trick users into executing the malicious batch scripts. One method utilizes the infamous ClickFix strategy, directing users to a fake Cloudflare CAPTCHA verification page. The other method involves advertising the malware as legitimate tools, such as Tor Browser, VoIP software, and messaging clients.
While the exact method used to lure users to the malicious software is unclear, it is suspected to involve common tactics like malvertising or search engine optimization (SEO) poisoning. Regardless of the method, the first-stage payload is an archive containing the batch script, which then invokes PowerShell commands to drop additional scripts, modify the Windows Registry, and set up scheduled tasks for persistence.
According to the researchers, “The malware stores obfuscated scripts in the Windows Registry and ensures execution via scheduled tasks, allowing it to run stealthily in the background. Additionally, it modifies system registry keys to register a fake driver (ACPIx86.sys), further embedding itself into the system.”
A .NET payload is deployed over the course of the attack, utilizing various evasion techniques, including control-flow obfuscation, string encryption, and using function names that mix Arabic, Chinese, and special characters.
Another payload loaded via PowerShell employs Antimalware Scan Interface (AMSI) patching to bypass antivirus detections. The .NET payload is ultimately responsible for dropping a system-mode rootkit named “ACPIx86.sys” into the “C:WindowsSystem32Drivers” folder, which is then launched as a service.
Additionally, a user-mode rootkit referred to as r77 is delivered for setting up persistence on the host and hiding files, processes, and registry keys matching the pattern ($nya-). The malware also periodically monitors clipboard activity and command history, saving them into hidden files for potential exfiltration.
According to the researchers, “OBSCURE#BAT demonstrates a highly evasive attack chain, leveraging obfuscation, stealth techniques, and API hooking to persist on compromised systems while evading detection. From the initial execution of the obfuscated batch script (install.bat) to the creation of scheduled tasks and registry-stored scripts, the malware ensures persistence even after reboots.”
The findings come as Cofense reported a Microsoft Copilot spoofing campaign that uses phishing emails to direct users to a fake landing page for the artificial intelligence (AI) assistant, designed to harvest users’ credentials and two-factor authentication (2FA) codes.
