Cybersecurity experts have detected a rise in malware contaminations originating from malvertising campaigns dispersing a loader identified as FakeBat.
“These assaults are chance-driven, focusing on users searching for popular corporate software,” the Mandiant Managed Defense team stated in a technical analysis. “The infection employs a tampered MSIX installer, which triggers a PowerShell script to fetch a secondary payload.”
FakeBat, also known as EugenLoader and PaykLoader, is associated with a threat entity called Eugenfest. The Google-owned threat intelligence team is monitoring the malware as NUMOZYLOD and has associated the Malware-as-a-Service (MaaS) endeavor with UNC4536.
The attack sequences disseminating the malware utilize drive-by download mechanisms to steer users seeking popular software towards counterfeit resembling sites that host rigged MSI installers. Some of the malware types delivered through FakeBat comprise IcedID, RedLine Stealer, Lumma Stealer, SectopRAT (aka ArechClient2), and Carbanak, a malware affiliated with the FIN7 cybercrime group.
“UNC4536’s approach involves exploiting malvertising to distribute tampered MSIX installers camouflaged as prominent software such as Brave, KeePass, Notion, Steam, and Zoom,” Mandiant mentioned. “These tampered MSIX installers are featured on websites imitating authentic software hosting platforms, tempting users to download them.”
What distinguishes the assault is the utilization of MSIX installers masked as Brave, KeePass, Notion, Steam, and Zoom, which can execute a script prior to commencing the main application via a setup known as startScript.
UNC4536 essentially acts as a malware distributor, whereby FakeBat functions as a conveyance mechanism for subsequent-stage payloads for their corporate associates, including FIN7.
“NUMOZYLOD collects system data comprising operating system specifics, domain registration, and installed antivirus tools,” Mandiant revealed. “In certain alterations, it retrieves the public IPv4 and IPv6 address of the host and dispatches this data to its C2, [as well as] creates a shortcut (.lnk) in the StartUp directory for its endurance.”
The revelation comes a bit over a month following Mandiant also outlined the assault progression linked with another malware downloader named EMPTYSPACE (also known as BrokerLoader or Vetta Loader), which has been employed by a financially driven threat coalition dubbed UNC4990 to support data extraction and cryptojacking endeavors targeting Italian entities.
About Author
