Understanding the Rise of FakeBat Malware
Cybersecurity experts have recently uncovered a significant increase in malware infections linked to malvertising campaigns using a loader called FakeBat. These attacks are targeting individuals searching for popular business software, as highlighted in a report by the Mandiant Managed Defense team. The method involves a trojanized MSIX installer that executes a PowerShell script to download additional harmful software.
Linking FakeBat to Eugenfest
FakeBat is also recognized by other names, such as EugenLoader and PaykLoader, and has connections to a threat group known as Eugenfest. Google's threat intelligence team identifies this malware under the codename NUMOZYLOD, attributing the Malware-as-a-Service operation to UNC4536.
The Mechanics of the Attack
The attack strategy involves drive-by download techniques, which redirect users who search for popular software to fake websites offering malware-laden MSI installers. The malware families delivered through FakeBat include IcedID, RedLine Stealer, Lumma Stealer, SectopRAT (aka ArechClient2), and Carbanak, the latter being associated with the notorious FIN7 cybercrime group.
Deceptive Tactics and Exploitation
UNC4536's approach uses malvertising to spread trojanized MSIX installers that mimic well-known software like Brave, KeePass, Notion, Steam, and Zoom. These installers are housed on websites that pretend to be legitimate software sources, tricking users into downloading them. What makes these attacks stand out is the use of startScript configuration in MSIX installers to run a script before launching the main application.
The Role of NUMOZYLOD
Acting as a malware distributor, UNC4536 uses FakeBat to deploy additional malicious payloads for partners like FIN7. NUMOZYLOD plays a critical role by collecting system details, including operating system information, domain status, and installed antivirus products. It may also record the public IPv4 and IPv6 addresses of the host and transmit this data to its command-and-control (C2) servers. Furthermore, it establishes persistence by creating a shortcut (.lnk) in the StartUp folder.
Recent Developments in Malware Activity
This revelation follows Mandiant's earlier disclosure of another malware downloader called EMPTYSPACE (also known as BrokerLoader or Vetta Loader). This malware has been employed by a financially driven threat group, UNC4990, to carry out data theft and cryptojacking, specifically targeting sectors in Italy.
