The loader-as-a-service (LaaS) known as FakeBat has emerged as one of the most prevalent loader malware families distributed through drive-by download techniques this year, according to findings from Sekoia.
“FakeBat primarily aims to download and execute the next-stage payload, such as IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif,” the company said in a recent analysis.
Drive-by attacks involve methods like search engine optimization (SEO) poisoning, malvertising, and malicious code injections into compromised sites to trick users into downloading fake software installers or browser updates.
The increased use of malware loaders over the past few years coincides with the growing trend of creating landing pages that impersonate legitimate software websites. This highlights the larger issue of phishing and social engineering being primary tactics for threat actors to gain initial access.
FakeBat, also known as EugenLoader and PaykLoader, has been offered to other cybercriminals under a LaaS subscription model on underground forums by a Russian-speaking threat actor named Eugenfest (aka Payk_34) since at least December 2022.
The loader is designed to bypass security mechanisms and allows customers to generate builds using templates to trojanize legitimate software. It also enables them to monitor installations over time through an administration panel.
While earlier versions used an MSI format for the malware builds, recent iterations since September 2023 have switched to an MSIX format and added a digital signature to the installer with a valid certificate to evade Microsoft SmartScreen protections.
The malware is available for $1,000 per week and $2,500 per month for the MSI format, $1,500 per week and $4,000 per month for the MSIX format, and $1,800 per week and $5,000 per month for the combined MSI and signature package.
Sekoia researchers analyse FakeBat loader (aka EugenLoader, PaykLoader), distributed via malvertising, fake web browser updates on compromised websites, and social engineering schemes on social networks. https://t.co/19I6vE0iK3 pic.twitter.com/CkaTzeLepr
— Virus Bulletin (@virusbtn) July 3, 2024
Sekoia detected different activity clusters spreading FakeBat through three primary methods: impersonating popular software through malicious Google ads, fake web browser updates via compromised sites, and social engineering schemes on social networks. These campaigns are likely related to groups like FIN7, Nitrogen, and BATLOADER.
“In addition to hosting payloads, FakeBat [command-and-control] servers likely filter traffic based on characteristics such as the User-Agent value, the IP address, and the location,” Sekoia said. “This enables the distribution of the malware to specific targets.”
This disclosure comes as the AhnLab Security Intelligence Center (ASEC) detailed a malware campaign distributing another loader named DBatLoader (aka ModiLoader and NatsoLoader) through invoice-themed phishing emails.
It also follows the discovery of infection chains spreading Hijack Loader (aka DOILoader and IDAT Loader) via pirated movie download sites to deliver the Lumma information stealer.
“This IDATLOADER campaign uses a complex infection chain with multiple layers of direct code-based obfuscation alongside innovative tricks to further conceal the malicious code,” Kroll researcher Dave Truman said.
Phishing campaigns have also been observed delivering Remcos RAT, with a new Eastern European threat actor dubbed Unfurling Hemlock using loaders and emails to drop binary files that act as a “cluster bomb” to spread different malware strains simultaneously.
“The malware distributed using this technique mostly includes stealers like RedLine, RisePro, and Mystic Stealer, and loaders such as Amadey and SmokeLoader,” Outpost24 researcher Hector Garcia said.
“Most of the first stages were detected being sent via email to different companies or being dropped from external sites contacted by external loaders.”
These findings underscore the persistent and evolving threat posed by loader malware and the need for robust cybersecurity measures.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
