Cybersecurity researchers have uncovered a surge in malware infections stemming from malvertising campaigns distributing a loader referred to as FakeBat.
“These attacks are opportunistic in nature, targeting users seeking popular business software,” the Mandiant Managed Protection group stated in a technical report. “The infection utilizes a trojanized MSIX installer, which executes a PowerShell script to download a secondary payload.”
FakeBat, additionally referred to as EugenLoader and PaykLoader, is linked to a menace actor named Eugenfest. The Google-owned menace intelligence group is monitoring the malware below the identify NUMOZYLOD and has attributed the Malware-as-a-Service (MaaS) operation to UNC4536.
Assault chains propagating the malware make use of drive-by obtain strategies to push customers looking for in style software program towards bogus lookalike websites that host booby-trapped MSI installers. A number of the malware households delivered by way of FakeBat embody IcedID, RedLine Stealer, Lumma Stealer, SectopRAT (aka ArechClient2), and Carbanak, a malware related to the FIN7 cybercrime group.
“UNC4536’s modus operandi involves leveraging malvertising to distribute trojanized MSIX installers disguised as popular software like Brave, KeePass, Notion, Steam, and Zoom,” Mandiant stated. “These trojanized MSIX installers are hosted on websites designed to mimic legitimate software hosting sites, luring users into downloading them.”
What makes the assault notable is using MSIX installers disguised as Courageous, KeePass, Notion, Steam, and Zoom, which have the flexibility to execute a script earlier than launching the primary utility by the use of a configuration referred to as startScript.
UNC4536 is actually a malware distributor, which means FakeBat acts as a supply car for next-stage payloads for his or her enterprise companions, together with FIN7.
“NUMOZYLOD gathers system information, including operating system details, domain joined, and antivirus products installed,” Mandiant stated. “In some variants, it gathers the public IPv4 and IPv6 address of the host and sends this information to its C2, [and] creates a shortcut (.lnk) in the StartUp folder as its persistence.”
The disclosure comes a bit over a month after Mandiant additionally detailed the assault lifecycle related to anther malware downloader named EMPTYSPACE (aka BrokerLoader or Vetta Loader), which has been utilized by a financially motivated menace cluster dubbed UNC4990 to facilitate information exfiltration and cryptojacking actions concentrating on Italian entities.
