FakeBat Malware Loader Surges in Drive-by Download Incidents

The loader-as-a-service (LaaS) known as FakeBat has emerged as one of the most prevalent malware families, spreading through drive-by download attacks this year, according to findings from Sekoia.

Understanding FakeBat's Functionality

FakeBat is primarily designed to download and execute additional malicious payloads, including well-known threats like IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif. These drive-by download attacks leverage techniques such as search engine optimization (SEO) poisoning, malvertising, and code injections into compromised websites, tricking users into downloading fake software installers or browser updates.

The Rise of Malware Loaders

The increasing use of malware loaders corresponds with the growing trend of creating landing pages that impersonate legitimate software websites. This method aligns with the broader tactic of phishing and social engineering, which remains a key strategy for threat actors to gain initial access.

FakeBat's Evolution and Distribution

FakeBat, also known as EugenLoader and PaykLoader, has been available to cybercriminals through a LaaS subscription model on underground forums by a Russian-speaking threat actor named Eugenfest (aka Payk_34) since at least December 2022. The loader is designed to bypass security mechanisms and allows users to generate builds using templates to trojanize legitimate software. It also provides monitoring capabilities through an administration panel.

Earlier versions of FakeBat used an MSI format for malware builds, but recent iterations since September 2023 have transitioned to an MSIX format with a digital signature to evade Microsoft SmartScreen protections. The cost of the malware is structured as follows: $1,000 per week or $2,500 per month for the MSI format; $1,500 per week or $4,000 per month for the MSIX format; and $1,800 per week or $5,000 per month for a package that includes both MSI and a digital signature.

Methods of Dissemination

Sekoia detected various activity clusters spreading FakeBat using three primary methods: impersonating popular software via malicious Google ads, fake web browser updates through compromised sites, and social engineering schemes on social networks. These campaigns are likely associated with groups such as FIN7, Nitrogen, and BATLOADER.

In addition to hosting payloads, FakeBat command-and-control servers likely filter traffic based on characteristics such as the User-Agent value, IP address, and location. This targeted distribution enhances the malware's impact on specific victims.

Broader Malware Landscape

This disclosure aligns with other reports, such as the AhnLab Security Intelligence Center (ASEC) detailing a malware campaign distributing another loader, DBatLoader (also known as ModiLoader and NatsoLoader), through invoice-themed phishing emails. Additionally, infection chains propagating Hijack Loader (aka DOILoader and IDAT Loader) via pirated movie download sites have been discovered, ultimately delivering the Lumma information stealer.

A campaign using IDATLOADER involved a complex infection chain with multiple layers of obfuscation, using Microsoft's mshta.exe to execute code hidden within a file masquerading as a PGP Secret Key. This campaign utilized innovative techniques to conceal the malicious code from detection.

Phishing campaigns have also been observed delivering Remcos RAT, with a new Eastern European threat actor named Unfurling Hemlock using loaders and emails to spread various malware strains simultaneously. This method frequently spreads information stealers like RedLine, RisePro, and Mystic Stealer, along with loaders such as Amadey and SmokeLoader. These attacks typically begin with emails sent to different companies or through external sites contacted by loaders.

Protecting Your Digital Footprint

The rise of sophisticated malware like FakeBat highlights the importance of robust cybersecurity measures. Organizations should invest in stolen credentials detection, darknet monitoring services, dark web surveillance, and compromised data tracking to protect their digital footprint. Utilizing brand protection strategies, brand impersonation defense, and online risk evaluation can also enhance security. Employing digital threat scoring can provide a comprehensive assessment of potential risks.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.