Full Report
A new malware campaign has been observed leveraging social engineering tactics to deliver an open-source rootkit called r77. The activity, condemned OBSCURE#BAT by Securonix, enables threat actors to establish persistence and evade detection on compromised systems. It's currently not known who is behind the campaign. The rootkit "has the ability to cloak or mask any file, registry key or task
Analysis Summary
# Tool/Technique: OBSCURE#BAT Campaign
## Overview
OBSCURE#BAT is a malware campaign characterized by using social engineering tactics, such as fake CAPTCHA pages or masquerading as legitimate software (like Tor Browser, VoIP, or messaging clients), to lure English-speaking victims in the US, Canada, Germany, and the UK into executing obfuscated Windows batch scripts. The ultimate goal is to establish persistence and evade detection by deploying the open-source rootkit, r77, alongside a system-mode rootkit.
## Technical Details
- Type: Malware Campaign / Multi-stage Payload Delivery
- Platform: Windows
- Capabilities: Initial access via social engineering, multi-stage execution using batch scripts and PowerShell, registry modification, persistence via scheduled tasks, AMSI bypass, control-flow obfuscation, and rootkit deployment.
- First Seen: Information not explicitly stated, but the article references a report shared on Mar 14, 2025.
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on described actions.*
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Implied by delivering an archive containing a script)
- T1588 - Obtain Capabilities
- T1588.002 - Tool
- Deployment of open-source rootkit r77.
- **TA0003 - Persistence**
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder (Implied by modification of registry keys for persistence)
- T1053 - Scheduled Task/Job
- T1053.005 - Scheduled Task
* **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- Control-flow obfuscation and string encryption used in the .NET payload.
- T1055 - Process Injection (Implied by rootkit functionality)
- T1562 - Impair Defenses
- T1562.001 - Disable or Modify Tools (Via AMSI patching)
- T1036 - Masquerading
- T1036.005 - Match Legitimate Name or Location (Registering fake driver ACPIx86.sys)
## Functionality
### Core Capabilities
- Executes obfuscated Windows batch scripts derived from archives delivered post-social engineering lure.
- Leverages PowerShell for multi-stage payload execution, registry modifications, and setting up persistence mechanisms (scheduled tasks).
- Modifies the Windows Registry to register a fake system driver (`ACPIx86.sys`).
- Deploys the user-mode rootkit `r77` to hide artifacts.
### Advanced Features
- **Evasion Techniques:** Uses control-flow obfuscation, string encryption, and uses function names mixing Arabic, Chinese, and special characters within the `.NET` payload.
- **AV Evasion:** Implements Antimalware Scan Interface (AMSI) patching to bypass antivirus detection.
- **Rootkit Deployment:** Uses a two-pronged approach: deploying a system-mode rootkit (`ACPIx86.sys` in `C:\Windows\System32\Drivers\`) and the user-mode rootkit `r77`.
- **Rootkit `r77` Cloaking:** The rootkit can mask or cloak any file, registry key, or task starting with a specific prefix.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names:
- `ACPIx86.sys` (Fake driver installed as a service)
- Registry Keys:
- Modification of keys for persistence.
- Modification of keys to register the fake driver.
- Network Indicators: [No specific C2 or domains provided in the text]
- Behavioral Indicators:
- Execution chains starting with obfuscated batch scripts invoking PowerShell.
- System modifications to register a driver and set scheduled tasks.
- Behavioral attempts to hide files, processes, and registry keys matching a pattern involving `$nya-`.
## Associated Threat Actors
- Unknown (Campaign currently attributed to an unidentified group by Securonix).
## Detection Methods
- Signature-based detection: Standard hash/signature analysis against known OBSCURE#BAT components or the deployed rootkits.
- Behavioral detection: Monitoring for the execution of obfuscated batch scripts, chained PowerShell execution, AMSI patching attempts, and the registration of the `ACPIx86.sys` file as a service/driver.
- YARA rules: Potentially developing rules based on the unique string mixing (Arabic, Chinese, special characters) in the .NET payload functions.
## Mitigation Strategies
- **Prevention:** Implement strict controls over initial access vectors (e.g., blocking access to suspicious external sites or links). Filter emails/traffic from known phishing sources.
- **Hardening:** Restrict user execution privileges to limit the impact of dropped batch scripts. Implement host-based controls to monitor for or prevent AMSI patching attempts. Ensure driver signing enforcement policies are active.
## Related Tools/Techniques
- **r77 Rootkit:** Open-source rootkit deployed by the campaign, known for its ability to cloak artifacts.
- **ClickFix Strategy:** A known social engineering tactic used here to direct users to fake CAPTCHA verification pages.
- **Malvertising/SEO Poisoning:** Suspected delivery mechanism used to lure victims to websites hosting the initial archive payload.