Cybercrime as-a-service , Endpoint Security , Fraud Management & Cybercrime

SeroXen Malware Latest to Deploy BatCloak Evasion Tool

BatCloak Slips Batch Files Past AV and EDR Detection
SeroXen Malware Latest to Deploy BatCloak Evasion Tool
Image: Shutterstock

Malware developers are adopting an easy-to-use obfuscation tool that slips malware past antivirus, warn security researchers.

A batch file obfuscation engine known as BatCloak requires minimal programming skills to use. Among its recent successes is a recent remote access Trojan dubbed SeroXen that researchers from multiple firms said resists detection by antivirus and endpoint detection and response tools.

A SeroXen sample analyzed by AT&T in May provoked zero detections on VirusTotal. Analysis published by Trend Micro earlier this month, of hundreds of infected batch file samples taken from a public repository, concluded that BatCloak shielded 80% of the files from detection by security software. Batch files, often designated with a .bat extension, are plain text files with scripts for a command-line interpreter.

SeroXen showed up in late 2022 and retailed for $30 a month or $60 outright. It is a variation of the well-established Quasar RAT, AT&T reported. The hacker apparently behind SeroXen used a still-active website, seroxen.net, to distribute the Trojan, although the site currently says sales are suspended "as of now." The site marketed the malware as "fully undetectable," or "FUD."

TrendMicro on Thursday released analysis that says one of the techniques BatCloak uses to hide SeroXen from detection is sophisticated string manipulation, which obfuscates the malware's use of a Windows command prompt interface to designate environment variables through the set command.

SeroXen concatenates variables together to execute a command - a method malware coders use to prevent malicious commands from detection. It ultimately uses obfuscated PowerShell commands to decrypt and deliver a .net loader.

The .bat loader first came to researchers' attention as the obfuscation engine of Jlaive, an open-source batch file builder that began circulating among hackers in 2022. TrendMicro says the most recent version of the BatCloak engine is being sold as "ScrubCrypt." Its developer's decision to sell access rather than debut a new open-source tool is likely due to the success of Jlaive "as well as the desire to monetize the project and safeguard it against unauthorized replication."


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.