Bootloader as a Service (LaaS), known as FakeBat, has become one of the most common bootloader malware families distributed using the autobot download method this year, Sekoia findings show.
“FakeBat is primarily aimed at loading and executing a next-stage payload, e.g IcedID, Lamma, Red line, SmokeLoader, Sectopratand Ursnif,” company said in Tuesday’s analysis.
Drive-by attacks involve the use of techniques such as search engine optimization (SEO), malicious advertising, and injecting malicious code into compromised sites to trick users into downloading fake software installers or browser updates.
The use of malware downloaders over the past few years has been coupled with the growing use of landing pages that mimic legitimate software websites, posing as legitimate installers. This is due to the broader aspect that phishing and social engineering remain one of the main ways for threat actors to gain initial access.
FakeBatalso known as EugenLoader and PaykLoader, has been offered to other cybercriminals using the LaaS subscription model on underground forums by a Russian-speaking threat actor named Eugenfest (aka Payk_34) since at least December 2022.
The bootloader is designed to bypass security mechanisms and allows customers to generate builds using templates to trojanize legitimate software, as well as control installations over time through the admin panel.
While earlier versions used the MSI format for malware builds, the latest iterations seen since September 2023 switched to the MSIX format and digitally signed the installer with a valid certificate to bypass Microsoft SmartScreen protection.
The malware is available for $1,000 per week and $2,500 per month for the MSI format, $1,500 per week and $4,000 per month for the MSIX format, and $1,800 per week and $5,000 per month for the MSI and signature combo pack.
Sekoia said it discovered different clusters of activity spreading FakeBat using three main approaches: impersonating popular software through Google’s malicious ads, fake web browser updates through hacked sites, and social engineering schemes on social media. This includes companies likely to be associated with Group FIN7, Nitrogenand BAT LOADER.
“In addition to hosting payloads, FakeBat (command and control) servers are very likely filtering traffic based on characteristics such as User-Agent value, IP address, and location,” Sekoya said. “It allows the distribution of malware for specific purposes.”
The disclosure comes as AhnLab Security Intelligence Center (ASEC) in detail a malware company that distributes another downloader called DBatLoader (aka ModiLoader and NatsoLoader) via invoice-themed phishing emails.
It also follows from the discovery of the chains of spread of infection Hijack bootloader (aka DOILoader and IDAT Loader) via pirated movie download sites to eventually deliver the Lumma info stealer.
“This IDAT Loader campaign uses a complex infection chain that contains multiple layers of direct code-based obfuscation along with innovative techniques to further hide the maliciousness of the code,” Dave Truman, Kroll researcher. said.
“The infection involved using Microsoft’s mshta.exe to execute code hidden deep within a specially crafted file that masqueraded as a PGP secret key. The company used new adaptations of common techniques and heavy obfuscation to hide the malicious code from detection.”
Phishing campaigns continued is observed delivering the Remcos RAT with a new Eastern European threat actor called Unfurling Hemlock, which uses bootloaders and email to drop binaries that act as a “cluster bomb” to spread multiple malware simultaneously.
“Malware distributed using this technique mainly consists of steals like RedLine, RiseProand A mystical kidnapperand loaders such as Ready and SmokeLoader,” by Outpost24 researcher Hector Garcia said.
“Most of the early stages were found to have been emailed to different companies or removed from external sites accessed by external downloaders.”
