stealth rootkit via captchas

Security researchers have uncovered a sinister new threat lurking in the digital shadows. Dubbed OBSCURE#BAT by Securonix, this malware campaign is targeting users primarily in the US, Canada, Germany, and the UK through fake CAPTCHA verification pages.

It’s clever. Too clever. The attack begins when unsuspecting users encounter typosquatted domains featuring Cloudflare CAPTCHA pages that look legitimate but are actually malicious traps.

Once victims interact with these fake CAPTCHAs, they’re unknowingly downloading archives containing heavily obfuscated batch scripts. The initial payload seems innocuous, but it’s just the tip of the iceberg. PowerShell commands execute in the background, dropping additional scripts and modifying the Windows Registry. The whole operation is practically invisible to the average user.

What makes OBSCURE#BAT particularly nasty is its use of the open-source r77 rootkit. This isn’t amateur hour. The malware installs both kernel-level (“puma.ko”) and userland (“lib64/libs.so”) rootkit components that hide malicious files, processes, and registry entries from security tools. The campaign employs social engineering techniques to trick users into executing malicious batch scripts through clipboard manipulation.

It even registers a fake driver called “ACPIx86.sys” to blend in with legitimate system processes. Talk about wearing a disguise.

Persistence is the name of the game. The malware creates scheduled tasks, injects itself into critical system processes like winlogon.exe, and abuses Windows services to guarantee it sticks around after reboots. Good luck finding it without specialized tools.

While hiding in your system, OBSCURE#BAT monitors clipboard activity and command history, collecting valuable data before encrypting and sending it to command and control servers. Similar to other attacks, it utilizes Cloudflare Tunnel connections to establish secure command-and-control infrastructure.

And it does this while actively interfering with security software’s ability to detect it. With keylogging capabilities similar to other infostealer trojans, it can silently capture every keystroke you make, including passwords and sensitive financial information.

Detection is complicated by the malware’s multi-stage infection chain and memory-resident components that avoid disk-based detection. Traditional antivirus? Pretty much useless.

The attackers have thought of everything, including patching the Antimalware Scan Interface to bypass detection. They’re not messing around, and neither should your security team.

Leave a Reply
You May Also Like

Beware! PlayPraetor Malware Strikes Android Users via Fake Play Store to Steal Sensitive Data

Your bank accounts are at risk from the 6,000 fake Play Store websites spreading PlayPraetor malware. It steals passwords, swipes funds, and monitors everything you type. Most victims never recover their money.

Malware ‘Desert Dexter’ Hits 900 Victims via Facebook Ads and Telegram Links

Facebook ads serve as a Trojan horse for “Desert Dexter” malware that’s infected 900+ Middle Eastern users. Hackers exploit geopolitical tensions while targeting cryptocurrency wallets. Your business could be next.

Staggering Surge: Nearly One Million Devices Compromised in GitHub Malvertising Scandal

A staggering 1 million devices infected after a single click on video frames. Microsoft intervened against Storm-0408’s sophisticated GitHub malvertising campaign that weaponized illegal streaming sites. Your device could be next.

Unseen Menace: Squidoor Malware Threatens Global Organizations From the Shadows

Chinese-linked Squidoor malware silently infiltrates government systems while security experts chase shadows. Its advanced evasion tactics render 61% of modern defenses powerless. Your organization could be next.