Advisory March 14, 2025

ObscureBat Malware Exploits Fake CAPTCHAs to Deploy Stealthy Rootkits on Windows Systems

ObscureBat is a new malware campaign employing social engineering tactics to deliver the open source r77 rootkit, enabling threat actors to establish persistence and evade detection on compromised Windows systems. The campaign targets English-speaking individuals, particularly in the United States, Canada, Germany, and the United Kingdom. It uses obfuscated batch scripts and PowerShell commands to deploy the rootkit, focusing on stealth and evasion techniques.

Description:

The ObscureBat attack begins with an obfuscated Windows batch script that executes PowerShell commands to initiate a multi-stage deployment of the r77 rootkit. The initial infection vector involves luring users into executing malicious batch scripts through fake CAPTCHA verification pages or by disguising the malware as legitimate software downloads (e.g., Tor Browser, VoIP software). Once executed, the script drops additional scripts, modifies the Windows Registry, and sets up scheduled tasks for persistence. The malware employs techniques such as control-flow obfuscation, string encryption, AMSI patching and registry modifications to evade detection. Ultimately, it installs both system-mode and user-mode rootkits (ACPIx86.sys and r77, respectively) to hide files, processes, and registry keys. It also monitors the clipboard and command history, likely for data exfiltration.

Affected OS:

  • Windows systems

Recommendations:

  • Be wary of CAPTCHA prompts that seem unusual or lead to unexpected downloads.
  • Implement strong antivirus and anti-malware solutions with real-time scanning capabilities.
  • Regularly scan your system for suspicious files or processes.
  • Educate users about social engineering tactics and the risks of executing unknown scripts.
  • Monitor system for unusual registry modifications or scheduled tasks.
  • Ensure automatic updates are enabled for future instances whenever possible.

 

References:

  • https://thehackernews.com/2025/03/obscurebat-malware-uses-fake-captcha.html
  • https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits/