Security Intelligence
Loading table of contents...
An unknown threat actor has been observed executing a malware campaign, dubbed OBSCURE#BAT, that leverages social engineering tactics to distribute the open-source rootkit r77. English-speaking individuals located the United States, Canada, Germany, and the United Kingdom have been the primary targets of the campaign.
The campaign utilizes two primary attack vectors to trick users into executing malicious batch scripts:
- Fake CAPTCHA verification pages: Attackers direct users to counterfeit Cloudflare CAPTCHA pages, a tactic known as ClickFix, to deceive them into executing malicious commands.
- Masquerading as legitimate software: The malware is disguised as genuine applications, such as Tor Browser, VoIP software, and messaging clients, to entice users into downloading and executing the malicious batch scripts.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Upon execution, the obfuscated batch script initiates a multi-stage process involving PowerShell commands that:
- Deploy additional scripts
- Modify Windows Registry entries
- Establish scheduled tasks for persistence
Subsequently, a .NET payload is delivered, employing various obfuscation techniques to avoid detection. This payload drops a system-mode rootkit named "ACPIx86.sys" into the "C:\Windows\System32\Drivers" directory, launching it as a service.
Additionally, a user-mode rootkit referred to as r77 is installed to maintain persistence and conceal files, processes, and registry keys. The malware further monitors clipboard activity and command history, storing this information in hidden files for potential exfiltration.
The OBSCURE#BAT malware incorporates multiple anti-analysis techniques to evade detection and hinder security research. It first checks for indicators of a virtualized or sandboxed environment, such as running on VMware or VirtualBox, which are commonly used by analysts. If these conditions are detected, the malware halts execution to avoid being analyzed.
Analysis
The ClickFix social engineering technique was recently observed being used by Storm-1865 in a phishing campaign that targeted the hospitality industry. Nation-state hackers have incorporated ClickFix into their operations, including:
- Russia's Main Intelligence Directorate (GRU), known as APT28
- Iran's Ministry of Intelligence and Security, known as MuddyWater
The r77 rootkit is an open-source malware framework designed for stealthy persistence on Windows systems, allowing attackers to hide processes, files, and registry entries from detection.
Originally developed as a proof-of-concept, r77 has been increasingly adopted by cybercriminals for activities such as credential theft, keylogging, and remote system control. Its ability to evade traditional security tools makes it an attractive choice for financially motivated threat actors seeking to conduct fraud, identity theft, and other illicit operations.
Typically, r77 is deployed through social engineering tactics, malicious downloads, or trojanized software, often in broad campaigns targeting individuals and businesses rather than high-value espionage targets.
The stealth and persistence capabilities of r77 make it an appealing tool for nation-state actors as well. While there is no confirmed attribution of r77 being used in government-backed espionage campaigns, its features align with techniques favored by advanced persistent threat (APT) groups.
A nation-state could easily adapt r77, modifying its capabilities to conduct long-term surveillance, data exfiltration, or targeted system compromise. The availability of r77 as open-source software also means it could be repurposed with advanced customizations, making it difficult to attribute to a specific group.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats emanating from campaigns like OBSCURE#BAT. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate these threats. Field Effect MDR users are automatically notified when threat-related activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect portal.
To detect and prevent ClickFix style attacks, Field Effect recommends that organizations and individuals implement email security protections, such as anti-phishing filters and domain verification (DMARC, DKIM, SPF), to help block phishing emails before they reach inboxes. Restricting the execution of risky scripting tools like mshta.exe and wscript.exe through Group Policy or cybersecurity solutions that monitor endpoints like Field Effect MDR can also mitigate potential exploits. Keeping software updated, including operating systems, browsers, and security tools, helps patch vulnerabilities that attackers might use to gain access.
Additionally, enabling multi-factor authentication (MFA) can prevent unauthorized account access, even if credentials are stolen in a phishing attack. By combining strong user education with technical defenses, individuals and organizations can significantly reduce their risk of falling victim to this evolving phishing technique.
