Exposing FakeBat Loader: Distribution Methods and Adversary Infrastructure
Summary:
A new report by Sekoia highlights an increasing trend in cybercriminals distributing malware via drive-by-download, a technique that typically employs SEO-poisoning, malvertising, and code injection into compromised websites to trick users into downloading fake software installers or browser updates. Based on metrics gathered by Sekoia, researchers note that FakeBat was one of the most widespread loaders using this technique during the first quarter of 2024. FakeBat first emerged in December 2022 and has since then been sold on underground forums as a loader-as-a-service by a Russian-speaking threat actor named Eugenfest. For its part, FakeBat is a loader malware in MSI format that comes with several anti-detection features, such as bypassing the Unwanted Software Policy of Google and Windows Defender alerts and being protected from VirusTotal. FakeBot can be purchased by cybercriminals, granting them access to an administration panel that allows them to:
- generate FakeBat builds;
- manage the distributed payloads;
- monitor the installations related to the payload distribution.
Furthermore, the panel also provides information related to the infected host, including the IP address, country, OS, web browser, mimicked software, and installation status.
Security Officer Comments:
In September 2023, operators behind FakeBat launched a new campaign on cybercrime forums introducing MSIX as a new format for their malware builds. They also incorporated a digital signature to the FakeBat installer with a valid certificate as a means to bypass Microsoft SmartScreen security features. This signature is included in the MSIX format and sold as a package to cybercriminals for 5,000 per month.
In the first quarter of 2024, Sekoia observed several FakeBat campaigns, typically leveraging landing pages spread via malvertising impersonating legitimate software, fake web browser updates on compromised websites (e.g. WordPress), and social engineer schemes on social networks. These campaigns have led to the download and execution of a variety of next-stage payloads including IceID, Lumma, Redline, SmokeLoader, SectopRAT, and Ursnif, ultimately leading to the deployment of ransomware in some cases.
Suggested Corrections:
Administrators of content management sites like WordPress should periodically ensure that their plugins and site themes are up to date, whenever new patches are released, as threat actors can exploit them to compromise sites, which in turn can be used to host malicious software. Making sure a strong password policy is in place and that two-factor authentication is enabled can be crucial in preventing attackers from compromising site accounts. In general, end users should be careful when browsing the internet and avoid clicking search results that are labeled ‘sponsored,’ given that threat actors are known for purchasing such advertisements to promote compromised websites and infect unsuspecting users with malicious payloads. Furthermore, when downloading software online, users should take caution and verify the legitimacy of the source. Scanning software with antivirus solutions prior to execution can help prevent unwanted infections.
Link(s):
https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/