August 19, 2024Ravie LakshmananMalvertising / Cybercrime

Cybersecurity researchers have discovered an increase in malware infections stemming from malvertising campaigns that distribute a loader called FakeBat.

“These attacks are opportunistic in nature and target users looking for popular enterprise software,” the Mandiant Managed Defense team said in a technical report. “The infection leverages a trojanized MSIX installer, which executes a PowerShell script to download a secondary payload.”

FakeBat, also known as EugenLoader and PaykLoader, is linked to a threat actor called Eugenfest. Google’s threat intelligence team is tracking the malware under the name NUMOZYLOD and has attributed the Malware-as-a-Service (MaaS) operation to UNC4536.

Attack chains spreading the malware utilize drive-by download techniques to push users looking for popular software to fake lookalike sites hosting boobytrapped MSI installers. Some of the malware families delivered via FakeBat include IcedID, RedLine Stealer, Lumma Stealer, SectopRAT (also known as ArechClient2), and Carbanak, a malware associated with the FIN7 cybercrime group.

“UNC4536’s modus operandi involves leveraging malvertising to distribute Trojanized MSIX installers disguised as popular software such as Brave, KeePass, Notion, Steam, and Zoom,” Mandiant said. “These Trojanized MSIX installers are hosted on websites designed to mimic legitimate software hosting sites, tricking users into downloading them.”

What makes the attack so striking is the use of MSIX installers impersonating Brave, KeePass, Notion, Steam, and Zoom. These can execute a script before the main application is launched, via a configuration called startScript.

UNC4536 is in fact a malware distributor, meaning FakeBat acts as a delivery vehicle for the next phase of payloads for their business partners, including FIN7.

“NUMOZYLOD collects system information, including details about the operating system, domain affiliation, and installed antivirus products,” Mandiant said. “In some variants, it collects the public IPv4 and IPv6 address of the host and sends this information to its C2, (and) creates a shortcut (.lnk) in the StartUp folder for persistence.”

The revelation comes just over a month after Mandiant also detailed the attack cycle of another malware downloader dubbed EMPTYSPACE (also known as BrokerLoader or Vetta Loader), which was used by a financially motivated threat cluster dubbed UNC4990 to facilitate data exfiltration and cryptojacking activities targeting Italian entities.