Analyzing OBSCURE#BAT: Threat Actors Lure Victims into Executing Malicious Batch Scripts to Deploy Stealthy Rootkits

Description

A stealthy malware campaign dubbed OBSCURE#BAT has been discovered, utilizing social engineering and deceptive file downloads to trick users into executing obfuscated code. The infection chain deploys a user-mode rootkit that manipulates system processes and registry entries to evade detection and maintain persistence. The malware, identified as r77 rootkit, hides files, processes, and registry keys with a specific prefix. It uses highly obfuscated batch scripts, PowerShell commands, and registry manipulation to establish persistence. The campaign targets English-speaking individuals through fake captchas, malvertising, and masquerading as legitimate software. The rootkit's ability to cloak malicious activities and inject into critical system processes makes it particularly dangerous and difficult to detect using conventional methods.