FakeBat's Malvertising Mayhem
Security Advisory Report: FakeBat Malware
Summary
FakeBat, also known as EugenLoader or PaykLoader, has emerged as a significant threat in 2024, spreading through drive-by download attacks and malvertising campaigns. Distributed under a Loader-as-a-Service (LaaS) model by the Russian-speaking threat actor Eugenfest, FakeBat targets victims through compromised websites, fake browser updates, and malicious ads.
Distribution Methods
FakeBat leverages several techniques to propagate, including:
- Malicious Ads (Malvertising): Fake ads on platforms like Google redirect users to phishing sites that host the FakeBat payload, often disguised as legitimate software installers.
- Fake Browser Updates: Compromised websites inject malicious JavaScript, triggering fake update notifications to lure users into downloading malware.
- Social Engineering: Campaigns impersonate popular software brands to deceive users into downloading trojanized installers.
Technical Details
- Formats: Originally distributed in MSI format, recent versions use MSIX installers, which are digitally signed with valid certificates to bypass security measures like Microsoft SmartScreen.
- Payloads: FakeBat downloads and executes secondary payloads such as IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif.
- Command-and-Control (C2): Uses filtering mechanisms based on User-Agent values, IP addresses, and geographical locations to distribute malware to specific targets.
Infection Chain
- Initial Infection: User clicks a malicious ad or fake update prompt.
- Download and Execution: MSIX installer is downloaded and executed, running a malicious PowerShell script.
- Payload Retrieval: PowerShell script communicates with the C2 server to download and execute additional malware.
Indicators of Compromise (IoCs)
Domains:
- cdn-inform[.]com
- udr-offdips[.]com
- urd-apdaps[.]com
- usm-pontic[.]com
- utd-corts[.]com
- utd-forts[.]com
- utd-gochisu[.]com
- utd-horipsy[.]com
- utm-adrooz[.]com
- utm-adschuk[.]com
- utm-adsgoogle[.]com
- utm-adsname[.]com
- utm-advrez[.]com
- utm-drmka[.]com
- utm-fukap[.]com
- utm-msh[.]com
- utr-gavlup[.]com
- utr-jopass[.]com
- utr-krubz[.]com
- utr-provit[.]com
- amydlesk[.]com
- notilon[.]co
- notliion[.]com
- notlon[.]top
- notlilon[.]co
- notion.findreaders[.]com
- findreaders[.]com
- notion.ilusofficial[.]com
- app.getmess[.]io
- utd-corts[.]com
URL's:
- brow-ser-update[.]top
- hxxps://brow-ser-update[.]top/download/dwnl.php
- hxxps://brow-ser-update[.]top/GoogleChrome-x86.msix
- photoshop-adobe[.]shop
- hxxps://photoshop-adobe[.]shop/download/dwnl.php
- c336d98d8d4810666ee4693e8c3a2a34191bad864d6b46e468a7eed36e7085f4 (GoogleChrome-x86.msix)
- b5ed2f42359e809bf171183a444457c378355d07b414f5828e1e4f7b35bb505f (boci.ps1)
- hxxps://app.getmess[.]io/
- hxxps://app.getmess[.]io/download/dwnl.php
- hxxps://getmess[.]download/Getmess.msix
- hxxp://utd-corts[.]com/buy/
Hashes (SHA256)
- c336d98d8d4810666ee4693e8c3a2a34191bad864d6b46e468a7eed36e7085f4
- 7265ffdbe31dd96d6e6c8ead5a56817c905ff012418546e2233b7dce22372630
- 9aa39f017b50dcc2214ce472d3967721c676a7826030c2e34cb95c495dba4960
- 1bb51d62457f606e947a4e7ce86198e9956ae1fe4e51e4e945370cc25fe6bfff
- 400277618bd2591efb2eb22ac0041c1c5561d96c479a60924ef799de3e2d290c
- f3ebb23bdcc7ac016d958c1a057152636bc2372b3a059bf49675882f64105068
- 12ea41f2dfa89ad86f082fdf80ca57f14cd8a8f27280aca4f18111758de96d15
- 3bd95eadb44349c7d88ea989501590fb3652ae27eded15ab5d12b17e2708969f
- 67663233f9e3763171afd3a44b769dc67a8a61d4a159f205003c5fdb150e2ca1
- f0e0aea32962a8a4aecd0c4b0329dc7e901fa5b103f0b03563cf9705d751bbe1
- 8f88a86d57b93cd7f63dfdf3cb8cc398cdce358e683fb04e19b0d0ed73dd50ee
- 3d3a9cd140972b7b8a01dde2e4cd9707913f2eba09a3742c72016fd073004951
- 96bd6abb1c8ec2ede22b915a11b97c0cd44c1f5ed1cda8bee0acfee290f8f580
- f1d72a27147c42a4f4baf3e10a6f03988c70546bb174a1025553a8319717ba95
- 806d08e6169569eb1649b2d1f770ad30a01ff55beedfe93aebccac2bc24533c0
- 763bdd0b5413bb2e0e3c4a68a7542586bbd638665b7ca250dbd9c7558216e427
- 9a2268162982113c12d163b1377dc4e72c93f91e26bd511d16c1b705262ca03c
- e5b94c001fc3c1c1aa35c71a3d1e9909124339e0ade09f897b918fe0729c12e1
- 9e800a05e65efe923a35815157129652980f03cbcf95cf0d64676f6da73471de
- f312e59be5ddbf857d92de506d55ae267800b0cbc2b82665ce63c889a7ae9414
- 7c7dc62ed7af2f90aeafdd5c3af5284c5539aeded7d642d39f5fd5f187d33c87
- 409a2a2a4e442017e6d647524fdec11507515a9f58a314e74307e67059bd8149
- 1d5d671bf680d739ded1e25e78970b38d00e8182816171a7c6a186504a79eeee
- aa998fde06a6a6ab37593c054333e192ce4706a14d210d8fc6c0de3fd2d74ce2
- 767dd301dc5297828a35eaba81f84bd0f50d61fe1a9208b8d89b5eaba064d65e
- 7d0aaf734f73c1cf93e53703e648125bba43e023203be9a938f270dfe3492718
- 6e0179344ca0bbc42dce77027f5a6a049844daf34595fd184d9f094e8c74325c
- 49a7668d60e8df9d0a57ba9e0e736c1eb48700da19711cc0ec0f3c94a56ce507
- 2e8a82f07de254848615f81272f08e0cf9af474d1c20f67d9ddbdf439f1d8fde
- f0f77c85c7da4391e34d106c4b5f671eb606ba695dc11401a6ee8ae53e337cbe
- d1da457b0891b68df16ce86e2a48a799b9528c1631bccc379623551f873c0eed
- 175fcb7495c0814a5c18afa6244d467f0daeb0f02ad93c0ab4d3af8cbbacb537
- 7316ed0cb0fdbede33a0b6d05d0be1fe3c616ef7c1098dfcc9a2339c793e7020
- 90641a72a4ea6f1fca57ec5e5daec4319ec95bec53dd2bf0fa58d1f9ade42ad4
- 6fb502d83b7b5181abcb53784270239cc3e4143344e1f64101537aa3848c8c95
- 2b033fc28ad12cb57c7c691bd40911ca47dd2a8e495a2d253557d2c6bcd40c5e
- 4029e194864e2557786e169c7f2c101b9972164de7b4f1ffadf89382317cf96c
- 020cd2e4ec27185550bf736b490d8ace0d244fe09315f9f7e18362de659bc7ad
- b5ed2f42359e809bf171183a444457c378355d07b414f5828e1e4f7b35bb505f
- 5ee273180702a54f32520be02c170ad154588893b63eefe2062cdb34ad83712c
- 1c5cadde01f10a730cd8f55633c967c3a7259f4906f961477b7e095e7db326b7
- 72a1f6e7979daae38d8e0e14893db4c182b8362acc5d721141ed328ed02c7e28
- 00e7e8a0e8495189bb7feca21864fbd6c61a5aa680462186504de02536e0c2f9
- 088ed84658a7c3bef4401601ef67a6953492fb0200a3b580bfabb21cd3ac8236
- b7aa4697e16bbafe0df02ab3b8d0be8ec6e4abf6e6ca7d787d3d3684ca8f4b63
- f138728ce2cc87201a51c9250fa87cbab20354012a8f566e1b2cd776cc1a66af
- 0c4cef985c90ed764f041c2ccab6820fdbe38edaaddebe01a5b8d31d93204b88
- f8ab48848ab915d1b23e3ee51dd20a2699bd4f277bde218a727d7a55a572d174
- 07a0986ab43f717e181a32d6742b11f788403ce582ad5fcbb9d20d0bd40d410b
- 5e5c134cea48e57da9604981c0a7fd6ef1704c4151b540f29de685e0017fa730
- e3f18df1d8f5e27a41221246cc63236487c56354ba0c926a3fdaea70db901adb
- 4e39fa74e49be2bf26fbfbbcea12d1374fa2f1607ff7fa2a0c8c323e697959ad
- d069437eda843bd7a675a1cca7fd4922803833f39265d951fa01e7ad8e662c60
- 904ce1b1ffa601f9aeb0a6d68bc83532c5e76b958029bd1c889937fa7cf1867f
- 00ea5d43f2779a705856a824a3f8133cb100101e043cb670e49b163534b0c525
- cea1c4f2229e7aa0167c07e22a3809f42ec931332da7cc28f7d14b9e702af66b
- ae641dda420f2cf63ac29804f7009ba1c248c702679fbccef35e4d9319d77d2d
Mitigation Strategies
- Ad-Blocking Tools: Use ad-blocking software to reduce exposure to malvertising.
- Security Software: Implement endpoint detection and response (EDR) solutions to detect and block malicious activities.
- Controlled Software Distribution: Provide software installers through an internal company repository to avoid risks from sponsored ads.
- Regular Updates and Patches: Keep operating systems, browsers, and software up-to-date with the latest security patches.
Conclusion
FakeBat represents a sophisticated and evolving threat leveraging modern techniques like digitally signed MSIX installers and targeted malvertising. Vigilance and proactive cybersecurity measures are essential to mitigate the risks posed by this malware.
Sources
FakeBat Loader Malware Spreads Widely Through Drive-by Download Attacks (The Hacker News)
Exposing FakeBat loader: distribution methods and adversary infrastructure (Sekoia Blog)