Fraudulent Hackers Utilize Popular Software Searches to Disseminate BogusBat Malware
Security researchers have exposed a rise in malicious software infiltrations originating from malvertising initiatives circulating a loader called BogusBat.
“These incidents are driven by circumstances, targeting individuals searching for well-known business applications,” the Mandiant Managed Defense team stated in a technical analysis. “The infection deploys a tampered MSIX installer, which runs a PowerShell script to fetch a secondary payload.”
BogusBat, also known as EugenLoader and PaykLoader, is connected to a hazard agent called Eugenfest. The Google-owned threat intelligence team is monitoring the malware under the name NUMOZYLOD and has assigned the Malware-as-a-Service (MaaS) operation to UNC4536.
Chains of assault disseminating the malware exploit drive-by download tactics to redirect users looking for favored software to counterfeit imitation sites that host rigged MSI installers. Some of the malicious programs delivered through BogusBat include IcedID, RedLine Stealer, Lumma Stealer, SectopRAT (aka ArechClient2), and Carbanak, a malware linked with the FIN7 cybercrime group.
“UNC4536’s approach involves utilizing malvertising to disseminate tampered MSIX installers masked as prominent software like Brave, KeePass, Notion, Steam, and Zoom,” Mandiant mentioned. “These tampered MSIX installers are hosted on websites created to imitate genuine software hosting platforms, enticing users to download them.”
What sets this attack apart is the use of MSIX installers masked as Brave, KeePass, Notion, Steam, and Zoom, which have the capacity to execute a script prior to launching the primary application through a setup known as startScript.
UNC4536 is fundamentally a malware distributor, meaning BogusBat functions as a conveyance mechanism for succeeding payloads for their commercial affiliates, including FIN7.
“NUMOZYLOD collects system specifics, including operating system particulars, domain connections, and installed antivirus software,” Mandiant conveyed. “In certain variants, it retrieves the public IPv4 and IPv6 address of the host and transmits this data to its C2, [and] crafts a shortcut (.lnk) in the StartUp directory for its persistence.”
The revelation comes slightly over a month after Mandiant also elaborated on the lifecycle of an additional malware downloader named EMPTYSPACE (alias BrokerLoader or Vetta Loader), exploited by a financially incentivized threat cluster recognized as UNC4990 to ease data extraction and cryptojacking efforts targeting Italian entities.
About Author
