The Securonix Threat Research team has uncovered a sophisticated malware campaign known as OBSCURE#BAT, which employs social engineering tactics and deceptive downloads to install a user-mode rootkit (r77 rootkit) that evades detection and maintains persistence on compromised systems. Attackers use fake captchas and legitimate-looking software downloads to trick users into executing obfuscated batch scripts that initiate a multi-stage infection process. This ultimately results in the manipulation of system processes and registry entries, allowing the malware to remain hidden and continually monitor user activities. Affected: users, software sectors, system environments
Keypoints :
- Securonix tracks a stealth malware campaign leveraging social engineering.
- The malware deploys a user-mode rootkit (r77) that can cloak files, registry keys, and tasks.
- Initial infection occurs through obfuscated batch scripts disguised as legitimate downloads.
- Key techniques include process injection, API hooking, and dynamic PowerShell commands.
- The malware ensures persistence via scheduled tasks and registry modifications.
- Monitoring and exfiltration of user clipboard and command history occur in the background.
MITRE Techniques :
- T1566.001: Phishing – Spearphishing Attachment: Malicious batch scripts delivered through social engineering.
- T1071.001: Application Layer Protocol – Web Protocols: Command and control through web protocols.
- T1014: Rootkit: Deployment of r77 user-mode rootkit to evade detection.
- T1027: Obfuscated Files or Information: Malware scripts obfuscated to evade analysis.
- T1059.001: Command and Scripting Interpreter: PowerShell used to execute malware.
- T1053.005: Scheduled Task/Job: Scheduled tasks for malware persistence.
Indicator of Compromise :
- [URL] hxxps://cooinbase[.]net
- [IP Address] 86.54.42[.]120
- [File Name] sip.zip
- [Hash SHA256] E33E05D3182F46F65554FDA2127D9D1D415A986B6C635485B323558A1821F56A
- [File Name] ACPIx86.sys