Priya PatelTLDR:
- New malware strain named “crypted.bat” employs advanced obfuscation techniques to evade antivirus detection.
- Malware uses UTF-16 encoding, empty environment variables, and code injection for evasion.
Security researchers have discovered a new malware strain, known as “crypted.bat,” that utilizes sophisticated obfuscation techniques to evade detection by antivirus software. The malware was initially identified by a security analyst who found it to be undetectable by major antivirus engines on VirusTotal. The file, encoded in UTF-16, makes it challenging for reverse engineers to analyze its code. The malware also employs empty environment variables within batch scripts to conceal its true operations and dynamically generates labels to complicate analysis further.
Upon execution, the malware establishes persistence through a scheduled task and deploys a static Python environment. The payload, downloaded from a remote server, contains heavily obfuscated Python code designed for code injection using the process hollowing technique. The malware injects its code into a legitimate Windows process, such as “notepad.exe” or “svchost.exe,” to operate undetected.
Further investigation revealed that the malware communicates with a command and control server located at 15.235.176.64:7000, encrypting communications with AES for security. This discovery highlights the increasing complexity of modern malware and the challenges it poses to traditional antivirus solutions. As cyber attackers continue to innovate, it is crucial for the cybersecurity community to develop more robust measures to protect against evolving threats.
