Cybersecurity researchers have discovered a spike in malware infections as a result of malicious ad campaigns that distribute a downloader called FakeBat.
“These attacks are opportunistic and target users looking for popular business software,” Mandiant Managed Defense Team said in the technical report. “The infection uses an MSIX installer trojan that executes a PowerShell script to download an additional payload.”
FakeBatwhich is also called EugenLoader and PaykLoader, is associated with a threat actor named Eugenfest. The Google-owned threat intelligence team is tracking a malware called NUMOZYLOD and has attributed a Malware-as-a-Service (MaaS) operation to UNC4536.
Attack chains that distribute malware use autoloading techniques to drive users looking for popular software to fake sites similar to those hosting MSI mined installers. Some of the malware families delivered via FakeBat include IcedID, RedLine Stealer, Lumma Stealer, SectopRAT (aka ArechClient2), and Carbanak, malware related to FIN7 cyber crime group.
“UNC4536’s modus operandi involves using malicious advertisements to distribute trojanized MSIX installers disguised as popular software such as Brave, KeePass, Notion, Steam, and Zoom,” Mandiant said. “These trojanized MSIX installers are hosted on websites designed to mimic legitimate software hosting sites, enticing users to download them.”
What makes the attack notable is the use of MSIX installers disguised as Brave, KeePass, Notion, Steam, and Zoom, which have the ability to execute a script before starting the main application via a configuration called startScript.
UNC4536 is essentially a malware distributor, meaning that FakeBat acts as a means of delivering next-stage payloads to its business partners, including FIN7.
“NUMOZYLOD collects system information, including information about the operating system, domain join, and installed antivirus products,” Mandiant said. “In some embodiments, it collects the host’s public IPv4 and IPv6 addresses and sends that information to its C2 (and) creates a shortcut (.lnk) in the StartUp folder as its save.”
The disclosure also comes just over a month after Mandiant in detail attack lifecycle associated with an additional malware loader called EMPTYSPACE (aka BrokerLoader or Vetta Loader) used by a financially motivated threat cluster called UNC4990 to facilitate data theft and hacking activities targeting Italian organizations.
