Introduction
Cyber researchers have recently exposed a significant surge in malware infections from malvertising campaigns. These campaigns distribute a loader known as Fakebat and target users searching for popular business software. According to the Mandiant Managed Defense teams’ technical report, “The infection utilizes a trojanized MSIX installer, which executes a PowerShell script to download a secondary payload.”
The Mechanics of FakeBat Malware
- Trojanized MSIX Installers
Fakebat, also called EugenLoader and PaykLoader, is linked to a threat actor named Egugenfest. A Google-owned threat intelligence team is tracking this malware named NUMOZYLOD, attributed to the Malware-as-a-Service (MaaS) operation UNC4536. The malware’s primary delivery mechanism involves trojanized MSIX installers disguised as legitimate software such as Brave, KeePass, Notion, Zoom, and Steam.
2. Malvertising Campaigns
UNC4536 uses malvertising as an attack methodology to spread these trojanized installers. Malvertising involves embedding malicious advertisements on legitimate websites to encourage users to download compromised business software. Once users click on these ads, they are often redirected to bogus sites where these trojanized MSIX installers are hosted.
3.Drive-By Downloads
Attack chains propogating FakeBat utilize drive-by download techniques. Booby-trapped MSI installers then execute PowerShell scripts to download secondary Payloads. Some of the malware delivered via FakeBat include IcedID, RedLine Stealer, Lumma Stealer, SectopRAT ( also known as ArechCLient2), and Carbanak, which is associated with the notorious FIN7 cybercrime group.
Impact and Implications
- System Information Gathering
NUMOZYLOD, the name under which Google tracks this malware, gathers comprehensive system information, including operating system details, domain membership, public IPV4, and IPV6 addresses, and installed antivirus products.
- Persistence Mechanisms
FakeBat creates shortcuts (.Ink files) in the StartUp folder. This tactic ensures that the malware executes every time the system is restarted, making it more challenging to remove it.
- Delivery of Next-Stage Payloads
As a prominent malware distributor, UNC4536 partners with other cybercriminal organizations, deploying malware such as Carbanak for the FIN7 group. This collaboration facilitates various malicious activities, from data theft to cryptojacking.
Protecting Yourself From FakeBat Malware
- Download from Official Sources
- Examine URLs Throughly
- Utilize Robust Security Software
- Awareness and Education
~ Author : Hashan Nethkalum ~