Securonix researchers believe that OBSCURE#BAT malware primarily targets English-speaking users, as all lures, links, and file names are in that language. Additionally, the researchers noted that the threat actors’ infrastructure is based in the United States.
While they could not attribute the malware campaign to a specific group or country, Tim Peck, senior threat researcher at Securonix and co-author of the blog post, told Dark Reading that the tactics used in OBSCURE#BAT suggest the threat actors are likely targeting large organizations.
“We identified these threat actors using tactics such as typo squatting, malvertising, and fake product downloads to distribute rootkits. These distribution methods cast a wide net, lying dormant until victims are ensnared,” said Peck. “Given the sophistication of the malware and the obfuscation techniques used, it’s highly probable these actors are targeting individuals or organizations with valuable intellectual property, significant financial resources, or sensitive data. Such characteristics typically point to larger enterprises with strong security systems.”
To mitigate OBSCURE#BAT, Securonix recommends several key steps. First, users should stay alert to social engineering attacks and avoid fake captcha scams. “A legitimate captcha will never copy code to your clipboard and prompt execution,” the researchers warned.
They also encourage organizations to review batch files in a text editor before executing them, as well as to deploy Sysmon and PowerShell logging on endpoints to improve the detection of malicious activity like r77. According to Peck, while malware campaigns like OBSCURE#BAT are difficult to detect, they are not impossible to address. Organizations must implement a defense-in-depth approach to counter API hooking before persistent rootkits like r77 become entrenched in their networks. Peck also recommended using a combination of security incident and event monitoring (SIEM) and endpoint detection and response (EDR) to significantly improve detection and mitigation efforts.
