Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

Noauth vulnerability by -still affects 9% Microsoft Entra Saas applications two years after opening

June 25, 2025

Citrix releases emergency patches for actively exploited CVE-2025-6543 in ADC NetsCale

June 25, 2025

Citrix bleeding 2 defects provides tokens theft; Disadvantages SAP GUI Risk sensitive to data, impact of data

June 25, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » The FakeBat Loader malware is widely distributed through Drive-by Download attacks
Global Security

The FakeBat Loader malware is widely distributed through Drive-by Download attacks

AdminBy AdminJuly 6, 2024No Comments4 Mins Read
Drive-by Download Attacks
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


July 3, 2024Information hallMalware poisoning / SEO

Drive-by Download Attacks

Bootloader as a Service (LaaS), known as FakeBat, has become one of the most common bootloader malware families distributed using the autobot download method this year, Sekoia findings show.

“FakeBat is primarily aimed at loading and executing a next-stage payload, e.g IcedID, Lamma, Red line, SmokeLoader, Sectopratand Ursnif,” company said in Tuesday’s analysis.

Drive-by attacks involve the use of techniques such as search engine optimization (SEO), malicious advertising, and injecting malicious code into compromised sites to trick users into downloading fake software installers or browser updates.

The use of malware downloaders over the past few years has been coupled with the growing use of landing pages that mimic legitimate software websites, posing as legitimate installers. This is due to the broader aspect that phishing and social engineering remain one of the main ways for threat actors to gain initial access.

Cyber ​​security

FakeBatalso known as EugenLoader and PaykLoader, has been offered to other cybercriminals using the LaaS subscription model on underground forums by a Russian-speaking threat actor named Eugenfest (aka Payk_34) since at least December 2022.

The bootloader is designed to bypass security mechanisms and allows customers to generate builds using templates to trojanize legitimate software, as well as control installations over time through the admin panel.

While earlier versions used the MSI format for malware builds, the latest iterations seen since September 2023 switched to the MSIX format and digitally signed the installer with a valid certificate to bypass Microsoft SmartScreen protection.

The malware is available for $1,000 per week and $2,500 per month for the MSI format, $1,500 per week and $4,000 per month for the MSIX format, and $1,800 per week and $5,000 per month for the MSI and signature combo pack.

Sekoia said it discovered different clusters of activity spreading FakeBat using three main approaches: impersonating popular software through Google’s malicious ads, fake web browser updates through hacked sites, and social engineering schemes on social media. This includes companies likely to be associated with Group FIN7, Nitrogenand BAT LOADER.

“In addition to hosting payloads, FakeBat (command and control) servers are very likely filtering traffic based on characteristics such as User-Agent value, IP address, and location,” Sekoya said. “It allows the distribution of malware for specific purposes.”

The disclosure comes as AhnLab Security Intelligence Center (ASEC) in detail a malware company that distributes another downloader called DBatLoader (aka ModiLoader and NatsoLoader) via invoice-themed phishing emails.

It also follows from the discovery of the chains of spread of infection Hijack bootloader (aka DOILoader and IDAT Loader) via pirated movie download sites to eventually deliver the Lumma info stealer.

“This IDAT Loader campaign uses a complex infection chain that contains multiple layers of direct code-based obfuscation along with innovative techniques to further hide the maliciousness of the code,” Dave Truman, Kroll researcher. said.

Cyber ​​security

“The infection involved using Microsoft’s mshta.exe to execute code hidden deep within a specially crafted file that masqueraded as a PGP secret key. The company used new adaptations of common techniques and heavy obfuscation to hide the malicious code from detection.”

Phishing campaigns continued is observed delivering the Remcos RAT with a new Eastern European threat actor called Unfurling Hemlock, which uses bootloaders and email to drop binaries that act as a “cluster bomb” to spread multiple malware simultaneously.

“Malware distributed using this technique mainly consists of steals like RedLine, RiseProand A mystical kidnapperand loaders such as Ready and SmokeLoader,” by Outpost24 researcher Hector Garcia said.

“Most of the early stages were found to have been emailed to different companies or removed from external sites accessed by external downloaders.”

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

Noauth vulnerability by -still affects 9% Microsoft Entra Saas applications two years after opening

June 25, 2025

Citrix releases emergency patches for actively exploited CVE-2025-6543 in ADC NetsCale

June 25, 2025

Citrix bleeding 2 defects provides tokens theft; Disadvantages SAP GUI Risk sensitive to data, impact of data

June 25, 2025

Praisian Khactivist Group traces Personal Records from Saudi Games 2024

June 25, 2025

Sonicwall Netextender Trojan and Connectwise Explois

June 25, 2025

North Korea related to supply networks is focused on developers with 35 malicious NPM packages

June 25, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

Noauth vulnerability by -still affects 9% Microsoft Entra Saas applications two years after opening

June 25, 2025

Citrix releases emergency patches for actively exploited CVE-2025-6543 in ADC NetsCale

June 25, 2025

Citrix bleeding 2 defects provides tokens theft; Disadvantages SAP GUI Risk sensitive to data, impact of data

June 25, 2025

Praisian Khactivist Group traces Personal Records from Saudi Games 2024

June 25, 2025

Sonicwall Netextender Trojan and Connectwise Explois

June 25, 2025

North Korea related to supply networks is focused on developers with 35 malicious NPM packages

June 25, 2025

Microsoft extends Windows 10 security updates on one year with new enrollment options

June 25, 2025

The new visa rule in the US requires from applicants to set privacy in social media for the public

June 24, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

Noauth vulnerability by -still affects 9% Microsoft Entra Saas applications two years after opening

June 25, 2025

Citrix releases emergency patches for actively exploited CVE-2025-6543 in ADC NetsCale

June 25, 2025

Citrix bleeding 2 defects provides tokens theft; Disadvantages SAP GUI Risk sensitive to data, impact of data

June 25, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.