Online Criminals Exploit Trending Software Searches to Spread FakeBat Malware
Experts in cybersecurity have identified a rise in malicious software infiltrations attributed to deceptive advertising campaigns disseminating a loader known as FakeBat.
“These assaults capitalize on current trends by targeting users looking for widely-used business applications,” as outlined in a technical analysis by the Mandiant Managed Defense team. “The infection involves a corrupted MSIX installer that triggers a PowerShell script to download a secondary payload.”
FakeBat, also identified as EugenLoader and PaykLoader, is affiliated with a threat actor named Eugenfest. The Google-owned intelligence unit is monitoring the malware under the moniker NUMOZYLOD and has assigned the Malware-as-a-Service (MaaS) endeavor to UNC4536.
Chains of attacks spreading the malware utilize drive-by download methodologies to redirect individuals seeking popular software to counterfeit websites hosting rigged MSI installers. Some of the malware varieties delivered through FakeBat include IcedID, RedLine Stealer, Lumma Stealer, SectopRAT (also known as ArechClient2), and Carbanak, a malicious program connected with the FIN7 cybercrime syndicate.
“UNC4536’s tactics involve utilizing deceptive advertising to disseminate manipulated MSIX installers masked as popular software such as Brave, KeePass, Notion, Steam, and Zoom,” Mandiant highlighted. “These altered MSIX installers are hosted on platforms mimicking legitimate software repositories, enticing users to download them.”
What sets this operation apart is the employment of MSIX installers camouflaged as Brave, KeePass, Notion, Steam, and Zoom, which have the capability to run a script before initiating the main application through a setup known as startScript.
Essentially, UNC4536 serves as a conduit for malware distribution, with FakeBat acting as a conduit for subsequent payloads for their commercial associates, including FIN7.
“NUMOZYLOD collects system data, including specifics about the operating system, domain association, and present antivirus solutions,” according to Mandiant. “In some versions, it retrieves the public IPv4 and IPv6 address of the host and transmits this data to its Command and Control server, [and] creates a shortcut (.lnk) in the StartUp directory for persistence.”
This revelation comes a bit over a month after Mandiant also outlined the attack lifecycle linked to another malware downloader known as EMPTYSPACE (or BrokerLoader or Vetta Loader), utilized by a financially driven threat faction dubbed UNC4990 to enable data theft and crypto mining activities targeting Italian organizations.
About Author
