Cybersecurity researchers have identified a surge in malware infections caused by malvertising campaigns distributing FakeBat [1] [3], also known as EugenLoader and PaykLoader [1] [3].

Description

This malware, linked to threat actor Eugenfest and tracked by the Google-owned threat intelligence team as NUMOZYLOD [3], is associated with the UNC4536 group [1]. UNC4536 uses malvertising to distribute trojanized MSIX installers disguised as popular software like Brave [1] [3], KeePass [1] [3], Notion [1] [3], Steam [1] [3], and Zoom [1] [3]. The operation behind FakeBat has been attributed to UNC4536 [3], which uses drive-by download techniques to distribute trojanized MSIX installers disguised as popular software [3]. Some of the malware families delivered via FakeBat include IcedID [3], RedLine Stealer [2] [3], Lumma Stealer [2] [3], SectopRAT [2] [3], and Carbanak [2] [3]. NUMOZYLOD gathers system information and creates a shortcut in the StartUp folder for persistence [3]. This disclosure follows a previous report by Mandiant detailing the attack lifecycle associated with another malware downloader named EMPTYSPACE [3], used by a threat cluster dubbed UNC4990 for data exfiltration and cryptojacking activities targeting Italian entities [3]. The attacks are opportunistic, targeting users seeking popular commercial software. The attack chains use drive-by download techniques to direct users to fake websites with trojanized MSI installers. Some malware families delivered via FakeBat include IcedID [3], RedLine Stealer [2] [3], Lumma Stealer [2] [3], SectopRAT [2] [3], and Carbanak [2] [3], associated with the cybercrime group FIN7.

Conclusion

These malvertising campaigns distributing FakeBat pose a significant threat to users seeking popular software, as they can lead to the installation of various malware families. It is crucial for users to be cautious when downloading software and to ensure they are obtaining it from legitimate sources. Cybersecurity measures should be implemented to detect and prevent such malvertising campaigns in the future, in order to protect users and organizations from potential cyber threats.

References

[1] https://vulners.com/thn/THN:0F33DEB7E5131CE5A2B75438FED6B1E9
[2] https://sempreupdate.com.br/linux/malwares/cibercriminosos-espalham-malware-fakebat-explorando-pesquisas-populares-de-software/
[3] https://thehackernews.com/2024/08/cybercriminals-exploit-popular-software.html