Researchers at Trend Micro have reported that since September 2022, cybercriminals have been using an engine called BatCloak to obstruct malicious programs. The engine effectively hides malicious code from antivirus solutions, allowing attackers to upload different families of malware and exploits through highly disguised package files. Of the 784 harmful programs examined by researchers, almost 80% were not recorded by any of the antivirus engines in VirusTotal.
BatCloak is the foundation for the tool called Jlaive, which builds package files and is able to bypass Antimalware Scan Interface (AMSI). It also compresses and encrypts the main useful load for increased evasion. The JLAIVE tool was published on GitHub and GitLab in September 2022 by a CH2SH pseudonymous developer as “Exe to Bat Crypter.” Since then, it has been copied, modified, and transferred to other programming languages.
The final load is a “three-layer bootloader”-C#loader, PowerShell-loader, and packet bootloader. The packet bootloader serves as a starting point for decoding and unpacking each stage and ultimately launching a hidden virus.
BatCloak has received many updates and adaptations since its introduction and is commonly used for various types of attacks, including vulnerability exploitation, code injection, botnets, phishing, malware spread, and other illegal actions. Attackers can use these methods to steal personal data, destroy systems, or extort victims.
The fight against “exploitation in the wild” involves detecting vulnerabilities, developing and applying patches, updating antivirus databases, and educating users about cybersecurity basics to reduce the risk of attacks.
Overall, the use of BatCloak showcases the ever-evolving methods that cybercriminals use to hide malicious code from detection and cause chaos in systems globally. It is important for users to be vigilant and ensure their cybersecurity measures are up to date.