close
close

first Drop

Com TW NOw News 2024

Cybercriminals are abusing popular software searches to spread FakeBat malware
news

Cybercriminals are abusing popular software searches to spread FakeBat malware

August 19, 2024Ravie LakshmananMalvertising / Cybercrime

Cybercriminals are abusing popular software searches to spread FakeBat malware

Cybersecurity researchers have discovered an increase in malware infections stemming from malvertising campaigns that distribute a loader called FakeBat.

“These attacks are opportunistic in nature and target users looking for popular enterprise software,” the Mandiant Managed Defense team said in a technical report. “The infection leverages a trojanized MSIX installer, which executes a PowerShell script to download a secondary payload.”

FakeBat, also known as EugenLoader and PaykLoader, is linked to a threat actor called Eugenfest. Google’s threat intelligence team is tracking the malware under the name NUMOZYLOD and has attributed the Malware-as-a-Service (MaaS) operation to UNC4536.

Cyber ​​Security

Attack chains spreading the malware utilize drive-by download techniques to push users looking for popular software to fake lookalike sites hosting boobytrapped MSI installers. Some of the malware families delivered via FakeBat include IcedID, RedLine Stealer, Lumma Stealer, SectopRAT (also known as ArechClient2), and Carbanak, a malware associated with the FIN7 cybercrime group.

“UNC4536’s modus operandi involves leveraging malvertising to distribute Trojanized MSIX installers disguised as popular software such as Brave, KeePass, Notion, Steam, and Zoom,” Mandiant said. “These Trojanized MSIX installers are hosted on websites designed to mimic legitimate software hosting sites, tricking users into downloading them.”

FakeBat malware

What makes the attack so striking is the use of MSIX installers impersonating Brave, KeePass, Notion, Steam, and Zoom. These can execute a script before the main application is launched, via a configuration called startScript.

UNC4536 is in fact a malware distributor, meaning FakeBat acts as a delivery vehicle for the next phase of payloads for their business partners, including FIN7.

“NUMOZYLOD collects system information, including details about the operating system, domain affiliation, and installed antivirus products,” Mandiant said. “In some variants, it collects the public IPv4 and IPv6 address of the host and sends this information to its C2, (and) creates a shortcut (.lnk) in the StartUp folder for persistence.”

Cyber ​​Security

The revelation comes just over a month after Mandiant also detailed the attack cycle of another malware downloader dubbed EMPTYSPACE (also known as BrokerLoader or Vetta Loader), which was used by a financially motivated threat cluster dubbed UNC4990 to facilitate data exfiltration and cryptojacking activities targeting Italian entities.

Did you find this article interesting? Follow us Twitter and LinkedIn to read more exclusive content we post.