OBSCURE#BAT Malware via API Hooking

A sophisticated malware campaign, dubbed OBSCURE#BAT, is leveraging heavily obfuscated code and advanced evasion techniques like API hooking to deceive users into downloading a highly persistent rootkit.

According to researchers, the campaign operates like a set of Russian nesting dolls, beginning with social engineering tactics to lure victims into executing malicious batch scripts. The final payload in this chain is r77, a user-mode rootkit capable of hiding files, registry keys, and processes that match a specific prefix.

Obfuscated Code and API Hooking Conceal Malicious Activity

The attackers behind OBSCURE#BAT initiate their campaign with deceptive lures, such as fake Cloudflare captchas or fraudulent software updates for SIP VoIP, the Tor Browser, and Adobe products. When users click on these lures, they unknowingly execute highly obfuscated batch files. These files appear harmless at first glance, as they are padded with useless variables and character substitutions to evade detection.

“The batch file is heavily obfuscated, making static analysis challenging. As a result, detection rates have been minimal,” explained Securonix researchers in a blog post.

The malicious batch scripts use PowerShell to execute obfuscated commands, which can spawn additional PowerShell scripts, deploy payloads to hard drives, and modify system registries. The ultimate payload, r77, stores obfuscated scripts in the Windows Registry and operates stealthily in the background of infected systems.

A key feature of r77 is its use of API hooking, a technique that allows attackers to intercept and modify API calls by injecting malicious code into legitimate processes. This enables the rootkit to evade detection by security tools and remain invisible to users.

“What makes this malware particularly dangerous is its ability to hide files, registry entries, and running processes using user-mode API hooking,” Securonix researchers noted. “Any artifacts matching a specific pattern ($nya-) become invisible to standard Windows tools like Task Manager, Explorer, and shell commands such as ‘dir’ to list directory contents.”

Targeting Big Game?

Researchers believe that OBSCURE#BAT is primarily targeting English-speaking users, as all lures, links, and file names are in English. Additionally, the threat actors’ infrastructure is based in the United States.

While the researchers have not attributed the campaign to a specific group or country, Tim Peck, a senior threat researcher at Securonix and co-author of the blog post, suggests that the sophistication of the malware indicates the attackers may be targeting high-value individuals or organizations.

“We identified these threat actors employing tactics like typo squatting, malvertising, and fake product downloads to distribute malware (rootkits). These methods cast a wide net, lying dormant until victims are ensnared,” Peck told Dark Reading. “Given the advanced nature of the malware and the level of obfuscation used, it’s highly likely these actors were targeting individuals or organizations with valuable intellectual property, significant financial resources, or other sensitive data. Such indicators typically align with larger enterprises or organizations that have substantial security maturity.”

Mitigation Strategies

To defend against OBSCURE#BAT, Securonix recommends the following steps:

Stay Vigilant Against Social Engineering:

Be cautious of fake captchas and software updates. A legitimate captcha will never copy code to your clipboard and prompt execution.

Inspect Batch Files:

Review batch files in a text editor before executing them to identify suspicious content.

Enable Sysmon and PowerShell Logging:

Deploy Sysmon and enable PowerShell logging on endpoints to improve detection of malicious activity, such as r77’s operations.

Adopt a Defense-in-Depth Approach:

Implement layered security measures to counteract advanced techniques like API hooking and prevent persistent rootkits from embedding themselves in networks.

Conclusion

The OBSCURE#BAT campaign highlights the growing sophistication of malware attacks, combining social engineering, obfuscation, and advanced evasion techniques to infiltrate systems. While detecting such threats is challenging, organizations can mitigate risks by staying vigilant, enhancing endpoint monitoring, and adopting a multi-layered security strategy. As cybercriminals continue to target high-value entities, proactive defense measures are essential to safeguarding sensitive data and maintaining operational resilience.