New OBSCURE#BAT Malware Targets Users with Fake Captchas

OBSCURE#BAT malware campaign exploits social engineering & fake software downloads to evade detection, steal data and persist on systems. Learn how to stay safe.

Cybersecurity researchers at Securonix Threat Labs have spotted a new malware campaign called OBSCURE#BAT. This campaign uses social engineering tactics and fake software downloads to trick users into executing malicious code, enabling attackers to infect systems and avoid detection.

The attack begins with a user executing a malicious batch file, which is often disguised as legitimate security features or malicious software downloads. Once executed, the malware establishes itself by creating scheduled tasks and modifying the Windows Registry to operate even after the system reboots.

The malware then uses a user-mode rootkit to hide its presence on the system, making it difficult for users and security tools to detect. The rootkit can hide files, registry entries, and running processes, allowing the malware to embed further into legitimate system processes and services.

****Fake Captchas and Malicious Software Downloads****

As seen in recent similar campaigns, hackers have been leveraging typosquatting and social engineering tactics to present fake products as legitimate within their supply chains. This includes:

Masquerading Software: Attackers also disguise their malicious files as trustworthy applications, such as Tor Browser, SIP (VoIP) software or Adobe products, increasing the chances that users will execute them.

Fake Captchas: Users may encounter a fake captcha, especially the Cloudflare captcha feature, that tricks them into executing malicious code. These captchas often originate from typosquatted domains, resembling legitimate sites. When users attempt to pass the captcha, they are prompted to execute code that has been copied to their clipboard.

Fake captcha used in the attack (Screenshot Securonix)

****Evasion Techniques****

The OBSCURE#BAT malware campaign is a major cybersecurity threat to both individuals and organizations, primarily due to its ability to compromise sensitive data through advanced evasion techniques. These include:

API Hooking: By using user-mode API hooking, the malware can hide files, registry entries, and running processes. This means that common tools like Windows Task Manager and command-line commands cannot see certain files or processes, particularly those that fit a specific naming scheme (e.g., those starting with “$nya-“).

Registry Manipulation: It registers a fake driver (ACPIx86.sys) in the registry to ensure further persistence. This driver is linked to a Windows service, allowing it to execute malicious code without raising suspicion.

Stealthy Logging: The malware monitors user interactions, such as clipboard activity, and regularly writes this data to encrypted files, further complicating detection and analysis.

****Countries Targeted in the OBSCURE#BAT Attack****

According to Securonix’s detailed technical report, shared with Hackread.com before its official release on Thursday, the malware appears to be financially motivated or aimed at espionage, targeting users primarily in the following countries:

• Canada
• Germany
• United States
• United Kingdom

****How to Protect Yourself from the OBSCURE#BAT Attack****

While common sense is a must when downloading software or clicking on unknown links, users and organizations should also follow these key security measures to protect their systems from OBSCURE#BAT and similar threats:

• Clean downloads: Only download software from legitimate websites, and be wary of fake captchas and other social engineering tactics.

• Use endpoint logging: For organizations, deploy endpoint logging tools, such as Sysmon and PowerShell logging, to enhance detection and response capabilities.

• Monitor for suspicious activity: Regularly monitor systems for suspicious activity, such as unusual network connections or process behaviour.

• Use threat detection tools: Consider using threat detection tools, such as behavioural analysis and machine learning-based systems, to detect and respond to threats like OBSCURE#BAT.