Cybercriminals Exploit Common Software program Searches to Unfold FakeBat Malware

Aug 19, 2024Ravie LakshmananMalvertising / Cybercrime

Cybersecurity researchers have uncovered a surge in malware infections stemming from malvertising campaigns distributing a loader known as FakeBat.

“These assaults are opportunistic in nature, focusing on customers looking for fashionable enterprise software program,” the Mandiant Managed Protection group said in a technical report. “The an infection makes use of a trojanized MSIX installer, which executes a PowerShell script to obtain a secondary payload.”

FakeBat, additionally known as EugenLoader and PaykLoader, is linked to a menace actor named Eugenfest. The Google-owned menace intelligence group is monitoring the malware beneath the identify NUMOZYLOD and has attributed the Malware-as-a-Service (MaaS) operation to UNC4536.

Assault chains propagating the malware make use of drive-by obtain methods to push customers looking for fashionable software program towards bogus lookalike websites that host booby-trapped MSI installers. A number of the malware households delivered by way of FakeBat embrace IcedID, RedLine Stealer, Lumma Stealer, SectopRAT (aka ArechClient2), and Carbanak, a malware related to the FIN7 cybercrime group.

“UNC4536’s modus operandi entails leveraging malvertising to distribute trojanized MSIX installers disguised as fashionable software program like Courageous, KeePass, Notion, Steam, and Zoom,” Mandiant stated. “These trojanized MSIX installers are hosted on web sites designed to imitate respectable software program internet hosting websites, luring customers into downloading them.”

What makes the assault notable is using MSIX installers disguised as Courageous, KeePass, Notion, Steam, and Zoom, which have the flexibility to execute a script earlier than launching the primary software via a configuration known as startScript.

UNC4536 is basically a malware distributor, which means FakeBat acts as a supply car for next-stage payloads for his or her enterprise companions, together with FIN7.

“NUMOZYLOD gathers system data, together with working system particulars, area joined, and antivirus merchandise put in,” Mandiant stated. “In some variants, it gathers the general public IPv4 and IPv6 deal with of the host and sends this data to its C2, [and] creates a shortcut (.lnk) within the StartUp folder as its persistence.”

The disclosure comes slightly over a month after Mandiant additionally detailed the assault lifecycle related to anther malware downloader named EMPTYSPACE (aka BrokerLoader or Vetta Loader), which has been utilized by a financially motivated menace cluster dubbed UNC4990 to facilitate knowledge exfiltration and cryptojacking actions focusing on Italian entities.