Artificial Bat Loader Malware Spreads Extensively Via Drive-by Download Attacks

July 03, 2024NewsroomMalware / SEO Poisoning

A loader-as-a-service (LaaS) known as Artificial Bat has emerged as one of the most extensive loader malware lineages dispersed using the drive-by download mechanism this year, investigations by Sekoia show.

“Artificial Bat primarily focuses on fetching and executing the subsequent-stage payload, for example, IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif,” the company mentioned in a detailed analysis on Tuesday.

Drive-by assaults involve utilizing tactics like search engine optimization (SEO) poisoning, malicious advertising, and unlawful code insertions into violated websites to attract users towards downloading counterfeit software setups or browser updates.

Over the past few years, the employment of malware loaders aligns with the growing trend of creating landing pages imitating genuine software portals by showcasing them as authentic installers. This links to the broader picture that phishing and manipulation through social means remain key entry points for malicious actors.

Artificial Bat, also referred to as EugenLoader and PaykLoader, has been presented to other cybercriminals under a LaaS subscription model on illicit forums by a Russian-speaking threat actor named Eugenfest (also known as Payk_34) since, at minimum, December 2022.

The loader is devised to bypass security measures and offers clients the flexibility to create builds using layouts to embed legitimate software as well as oversee installations over time via an administrative interface.

Early versions utilized an MSI format for the malware builds; however, recent updates observed since September 2023 have transitioned to an MSIX format and included a digital signature to the installer with a valid certificate to outmaneuver Microsoft SmartScreen protections.

The malware is available for $1,000 weekly and $2,500 monthly for the MSI format, $1,500 weekly and $4,000 monthly for the MSIX format, and $1,800 weekly and $5,000 monthly for the bundled MSI and signature package.

Sekoia reported identifying various activity clusters disseminating Artificial Bat through three main strategies: Pretending to be popular software via illicit Google advertisements, false web browser updates through compromised websites, and deceptive methods on social platforms. This encompasses campaigns likely affiliated with the FIN7 group, Nitrogen, and BATLOADER.

“Additionally, along with hosting payloads, Artificial Bat’s command-and-control servers probably filter traffic based on factors like User-Agent value, IP address, and location,” Sekoia stated. “This facilitates the dissemination of the malware to particular targets.”

This disclosure coincides with the AhnLab Security Intelligence Center (ASEC) outlining a malware campaign circulating another loader named DBatLoader (also known as ModiLoader and NatsoLoader) through invoice-themed phishing emails.

Furthermore, it follows the uncovering of infection chains disseminating Hijack Loader (aka DOILoader and IDAT Loader) via pirated movie download sites to eventually deploy the Lumma information stealer.

“This IDATLOADER campaign employs a sophisticated infection chain incorporating multiple layers of direct code obfuscation in addition to innovative techniques to further obscure the malignancy of the code,” stated Kroll researcher Dave Truman.

“The infection process involved utilizing Microsoft’s mshta.exe to execute code hidden deep within a specially created file masquerading as a PGP Secret Key. The campaign incorporated fresh adaptations of common methodologies and extensive obfuscation to veil the malicious code from detection.”

Phishing campaigns have also been observed delivering Remcos RAT, with a new Eastern European threat actor named Unfurling Hemlock utilizing loaders and emails to distribute binary files acting as a “cluster bomb” to propagate various malware strains simultaneously.

“The malware being dispersed via this method mostly comprises of stealers, such as RedLine, RisePro, and Mystic Stealer, and loaders like Amadey and SmokeLoader,” stated Outpost24 researcher Hector Garcia.

“The majority of initial stages were detected being sent via email to various companies or being extracted from external sites contacted by external loaders.”