Malware Demo: SentinelOne VS BatCloak – Detection and Mitigation

In this video, we illustrate SentinelOne’s ability to detect, mitigate and prevent attacks incorporating BatCloak-generated payloads. “BatCloak” refers to a shared engine found in a number of commodity ‘FUD Crypters’ sold in crime forums, marketplaces, Telegram channels and similar venues. Some versions are sold for $25, although the tool is widely available via leaks or alternate forks and repositories. Our demonstration shows a threat actor obfuscating a Redline Stealer payload via the Jlaive/Madera Crypter. The newly-obfuscated payload is then dropped to a victim device and executed. SentinelOne is able to both detect and prevent.

Crypters, or obfuscation tools and packers, are used to evade endpoint security technology such as legacy AV, EDR, and XDR. The name refers to the cloaking of payloads in a nested fashion within .BAT (batch) and .PS1 (PowerShell) files. This cloaking ultimately leads to the execution of the original payload.

Crypter programs associated or incorporating BatCloak’s methods include known tools including CryBat, Jlaive, Madera, ScrubCrypt and others. Many of these are available in open source repositories, or have been leaked to the aforementioned crime forums and markets.

Watch the demo to understand how SentinelOne’s advanced threat detection and prevention capabilities can protect your systems against threats like BatCloak. For more technical insights and cybersecurity updates, subscribe to our channel.