Introduction
Cybersecurity researchers have recently identified a significant increase in malware infections originating from malvertising campaigns. These campaigns are distributing a loader known as FakeBat, which is being used by a cybercrime group to target users searching for popular business software. The infections are primarily attributed to a Malware-as-a-Service (MaaS) operation carried out by a group known as UNC4536. This article explores the key tactics of the FakeBat malware, the cybercrime network behind it, and the broader implications for cybersecurity.
Malvertising Campaign and FakeBat
The rise in FakeBat infections has been traced back to malicious advertising, or "malvertising," campaigns that lead unsuspecting users to download trojanized versions of business software. These attacks are opportunistic, targeting individuals searching for commonly used software like Brave, KeePass, Notion, Steam, and Zoom. Once a user clicks on one of these malicious ads, they are redirected to fake websites designed to mimic legitimate software platforms.
What makes this attack particularly effective is the use of MSIX installers, which are capable of running PowerShell scripts before launching the main software. This allows the malware to execute its payload without raising suspicion. According to cybersecurity experts from Mandiant’s Managed Defense team, the infection begins with a trojanized MSIX installer that downloads secondary malware.
Malware Distribution Techniques
FakeBat, also known as EugenLoader and PaykLoader, is associated with a threat actor named Eugenfest. It is part of a larger MaaS operation tracked by Google-owned threat intelligence teams under the name NUMOZYLOD. The cybercriminal group UNC4536 uses a variety of drive-by download techniques to lure users into downloading fake software from lookalike sites. Once installed, the malware can download additional payloads, including infamous malware families such as IcedID, RedLine Stealer, Lumma Stealer, SectopRAT, and Carbanak.
These payloads enable the attackers to steal sensitive information, exfiltrate data, or take control of compromised systems. Carbanak, in particular, is associated with the FIN7 cybercrime group, which has been responsible for numerous high-profile cyberattacks.
UNC4536’s Malvertising Strategy
UNC4536's strategy centers around distributing trojanized MSIX installers, often disguised as popular business software. These installers are hosted on websites designed to mimic legitimate download sites. Users looking for trusted applications are tricked into downloading malware-laden installers. Once downloaded, FakeBat facilitates the execution of a malicious script that collects system information, including operating system details, domain membership, and installed antivirus software.
In some cases, FakeBat also gathers public IP addresses and sends this information to a command-and-control (C2) server. To maintain persistence, the malware creates shortcuts in the StartUp folder, ensuring that it runs each time the infected device is powered on.
Implications for Cybersecurity
The FakeBat malware loader has become a significant tool for distributing other dangerous malware, acting as a delivery vehicle for next-stage attacks. Cybercriminal groups like UNC4536 are leveraging MaaS operations to partner with other cybercrime organizations, including FIN7, to carry out financially motivated attacks.
In addition to FakeBat, other similar loaders, such as EMPTYSPACE (also known as BrokerLoader or Vetta Loader), have been used in attacks targeting specific regions. For instance, UNC4990, another cybercrime group, used EMPTYSPACE in campaigns targeting Italian organizations for data exfiltration and cryptojacking purposes.
Conclusion
The surge in FakeBat malware infections highlights the evolving threat posed by malvertising campaigns and Malware-as-a-Service operations. By disguising malware as popular business software, cybercriminals are able to reach a large pool of victims. As malware distribution techniques continue to grow more sophisticated, it is critical for both organizations and individual users to exercise caution when downloading software from unfamiliar sources and to adopt strong cybersecurity measures to protect their systems.
0 Comments