New Malware Loader FakeBat Targets Users with SEO Poisoning and Fake Updates

by | Jul 3, 2024 | News

Post Views: 72

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

The Loader-as-a-Service (LaaS) known as FakeBat, also referred to as EugenLoader and PaykLoader, has become a prominent threat in the malware landscape, leveraging drive-by download techniques. Discovered and analyzed by cybersecurity firm Sekoia, FakeBat has been identified as a widely distributed loader malware family in 2024.

Distribution Techniques

FakeBat employs various drive-by attack methods to infiltrate systems:

Search Engine Optimization (SEO) Poisoning: Manipulating search engine results to lead users to malicious websites.
Malvertising: Inserting malicious advertisements that redirect users to harmful sites.
Compromised Sites: Injecting nefarious code into legitimate websites, prompting users to download fake software updates or installers.

Loader Malware Functionality

FakeBat primarily aims to download and execute subsequent malicious payloads, including but not limited to:

IcedID
Lumma
RedLine
SmokeLoader
SectopRAT
Ursnif

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Evolution and Features

Initial Versions: Initially, FakeBat used MSI format for its malware builds.

Recent Developments: Since September 2023, newer versions have transitioned to using MSIX format and have included digital signatures with valid certificates to bypass Microsoft SmartScreen protections.

Service Model: FakeBat operates on a subscription model offered by a Russian-speaking threat actor known as Eugenfest (aka Payk_34) since at least December 2022. The subscription costs are:

MSI Format: $1,000 per week or $2,500 per month.
MSIX Format: $1,500 per week or $4,000 per month.
Combined MSI and Signature Package: $1,800 per week or $5,000 per month.

Attack Vectors and Clusters

Sekoia has identified three primary dissemination approaches for FakeBat:

Impersonating Popular Software: Malicious Google ads redirecting users to download fake software.
Fake Web Browser Updates: Compromised sites prompting users to update their browsers.
Social Engineering: Using social networks to deceive users into downloading malicious software.

These methods have been linked to various threat groups, including FIN7, Nitrogen, and BATLOADER.

Trending: Offensive Security Tool: Genzai

Command-and-Control (C2) Servers

FakeBat C2 servers likely filter traffic based on factors such as the User-Agent value, IP address, and geographic location, targeting specific victims more effectively.

Related Threats and Campaigns

DBatLoader: Another loader, also known as ModiLoader and NatsoLoader, distributed through invoice-themed phishing emails, was detailed by the AhnLab Security Intelligence Center (ASEC).

Hijack Loader: Infection chains delivering the Lumma information stealer via pirated movie download sites, leveraging complex obfuscation and Microsoft’s mshta.exe to execute malicious code.

Remcos RAT: Delivered through phishing campaigns by an Eastern European threat actor named Unfurling Hemlock, using loaders and emails to spread various malware strains.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com

Source Link