The loader-as-a-service (LaaS) referred to as FakeBat has turn into one of the vital widespread loader malware households distributed utilizing the drive-by obtain approach this 12 months, findings from Sekoia reveal.
“FakeBat primarily goals to obtain and execute the next-stage payload, similar to IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif,” the corporate mentioned in a Tuesday evaluation.
Drive-by assaults entail the usage of strategies like search engine marketing (web optimization) poisoning, malvertising, and nefarious code injections into compromised websites to entice customers into downloading bogus software program installers or browser updates.
Using malware loaders over the previous few years dovetails with the rising use of touchdown pages impersonating authentic software program web sites by passing them off as authentic installers. This ties into the bigger side that phishing and social engineering stay one of many menace actors’ essential methods to accumulate preliminary entry.
FakeBat, also referred to as EugenLoader and PaykLoader, has been provided to different cybercriminals underneath a LaaS subscription mannequin on underground boards by a Russian-speaking menace actor named Eugenfest (aka Payk_34) since a minimum of December 2022.
The loader is designed to bypass safety mechanisms and gives prospects with choices to generate builds utilizing templates to trojanize authentic software program in addition to monitor installations over time by an administration panel.
Whereas the sooner variations made use of an MSI format for the malware builds, latest iterations noticed since September 2023 have switched to an MSIX format and added a digital signature to the installer with a legitimate certificates to sidestep Microsoft SmartScreen protections.
The malware is accessible for $1,000 per week and $2,500 monthly for the MSI format, $1,500 per week and $4,000 monthly for the MSIX format, and $1,800 per week and $5,000 monthly for the mixed MSI and signature package deal.
Sekoia mentioned it detected completely different exercise clusters disseminating FakeBat by three major approaches: Impersonating standard software program by malicious Google advertisements, faux internet browser updates by way of compromised websites, and social engineering schemes on social networks. This encompasses campaigns doubtless associated to the FIN7 group, Nitrogen, and BATLOADER.
“Along with internet hosting payloads, FakeBat [command-and-control] servers extremely doubtless filter visitors based mostly on traits such because the Consumer-Agent worth, the IP tackle, and the situation,” Sekoia mentioned. “This permits the distribution of the malware to particular targets.”
The disclosure comes because the AhnLab Safety Intelligence Middle (ASEC) detailed a malware marketing campaign distributing one other loader named DBatLoader (aka ModiLoader and NatsoLoader) by invoice-themed phishing emails.
It additionally follows the invention of an infection chains propagating Hijack Loader (aka DOILoader and IDAT Loader) by way of pirated film obtain websites to in the end ship the Lumma data stealer.
“This IDATLOADER marketing campaign is utilizing a fancy an infection chain containing a number of layers of direct code-based obfuscation alongside modern methods to additional disguise the maliciousness of the code,” Kroll researcher Dave Truman mentioned.
“The an infection hinged round using Microsoft’s mshta.exe to execute code buried deep inside a specifically crafted file masquerading as a PGP Secret Key. The marketing campaign made use of novel variations of frequent methods and heavy obfuscation to cover the malicious code from detection.”
Phishing campaigns have additional been noticed delivering Remcos RAT, with a brand new Jap European menace actor dubbed Unfurling Hemlock leveraging loaders and emails to drop binary information that act as a “cluster bomb” to unfold completely different malware strains directly.
“The malware being distributed utilizing this method is generally comprised of stealers, similar to RedLine, RisePro, and Mystic Stealer, and loaders similar to Amadey and SmokeLoader,” Outpost24 researcher Hector Garcia mentioned.
“Many of the first phases had been detected being despatched by way of e-mail to completely different firms or being dropped from exterior websites that had been contacted by exterior loaders.”
