New Malware Loader FakeBat Targets Users with SEO Poisoning and Fake Updates
The Loader-as-a-Service (LaaS) known as FakeBat, also referred to as EugenLoader and PaykLoader, has become a prominent threat in the malware landscape, leveraging drive-by download techniques. Discovered and analyzed by cybersecurity firm Sekoia, FakeBat has been identified as a widely distributed loader malware family in 2024.
Distribution Techniques
FakeBat employs various drive-by attack methods to infiltrate systems:
- Search Engine Optimization (SEO) Poisoning: Manipulating search engine results to lead users to malicious websites.
- Malvertising: Inserting malicious advertisements that redirect users to harmful sites.
- Compromised Sites: Injecting nefarious code into legitimate websites, prompting users to download fake software updates or installers.
Loader Malware Functionality
FakeBat primarily aims to download and execute subsequent malicious payloads, including but not limited to:
- IcedID
- Lumma
- RedLine
- SmokeLoader
- SectopRAT
- Ursnif
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Evolution and Features
Initial Versions: Initially, FakeBat used MSI format for its malware builds.
Recent Developments: Since September 2023, newer versions have transitioned to using MSIX format and have included digital signatures with valid certificates to bypass Microsoft SmartScreen protections.
Service Model: FakeBat operates on a subscription model offered by a Russian-speaking threat actor known as Eugenfest (aka Payk_34) since at least December 2022. The subscription costs are:
- MSI Format: $1,000 per week or $2,500 per month.
- MSIX Format: $1,500 per week or $4,000 per month.
- Combined MSI and Signature Package: $1,800 per week or $5,000 per month.
Attack Vectors and Clusters
Sekoia has identified three primary dissemination approaches for FakeBat:
- Impersonating Popular Software: Malicious Google ads redirecting users to download fake software.
- Fake Web Browser Updates: Compromised sites prompting users to update their browsers.
- Social Engineering: Using social networks to deceive users into downloading malicious software.
These methods have been linked to various threat groups, including FIN7, Nitrogen, and BATLOADER.
Trending: Offensive Security Tool: Genzai
Command-and-Control (C2) Servers
FakeBat C2 servers likely filter traffic based on factors such as the User-Agent value, IP address, and geographic location, targeting specific victims more effectively.
Related Threats and Campaigns
DBatLoader: Another loader, also known as ModiLoader and NatsoLoader, distributed through invoice-themed phishing emails, was detailed by the AhnLab Security Intelligence Center (ASEC).
Hijack Loader: Infection chains delivering the Lumma information stealer via pirated movie download sites, leveraging complex obfuscation and Microsoft’s mshta.exe to execute malicious code.
Remcos RAT: Delivered through phishing campaigns by an Eastern European threat actor named Unfurling Hemlock, using loaders and emails to spread various malware strains.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
