FakeBat Malware Spreads Through Drive-by Downloads

The loader-as-a-service (LaaS) known as FakeBat has become one of the most prevalent loader malware families this year, spread primarily through drive-by download attacks.

“FakeBat is mainly designed to download and execute subsequent payloads like IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif,” the company stated in a recent analysis.

Drive-by download attacks involve tactics such as search engine optimization (SEO) poisoning, malvertising, and malicious code injections into compromised sites, tricking users into downloading fake software installers or browser updates.

In recent years, the use of malware loaders has increased alongside the rise of landing pages that impersonate legitimate software websites, presenting themselves as genuine installers. This highlights the broader trend of phishing and social engineering as primary methods for threat actors to gain initial access.

FakeBat, also known as EugenLoader and PaykLoader, has been offered as a LaaS subscription on underground forums by a Russian-speaking threat actor named Eugenfest (aka Payk_34) since at least December 2022. The loader is designed to bypass security mechanisms, offering options to generate builds that trojanize legitimate software and monitor installations via an administration panel.

While early versions of FakeBat used the MSI format for malware builds, recent iterations since September 2023 have switched to the MSIX format and added a digital signature with a valid certificate to bypass Microsoft SmartScreen protections.

FakeBat is available for $1,000 per week and $2,500 per month for the MSI format, $1,500 per week and $4,000 per month for the MSIX format, and $1,800 per week and $5,000 per month for the combined MSI and signature package.

Researcher identified different activity clusters distributing FakeBat through three main methods: impersonating popular software via malicious Google ads, fake web browser updates from compromised sites, and social engineering schemes on social networks. These campaigns are likely related to groups such as FIN7, Nitrogen, and BATLOADER.

“In addition to hosting payloads, FakeBat command-and-control servers likely filter traffic based on characteristics like the User-Agent value, IP address, and location,” the researcher noted. “This enables targeted distribution of the malware.”

The disclosure coincides with a report detailing a malware campaign using another loader called DBatLoader (aka ModiLoader and NatsoLoader), spread through invoice-themed phishing emails.

Additionally, infection chains have been discovered propagating Hijack Loader (aka DOILoader and IDAT Loader) via pirated movie download sites to deliver the Lumma information stealer using an uncommon technique known as Borland Package Library (BPL) side-loading.

Phishing campaigns have also been observed distributing Remcos RAT, with a new Eastern European threat actor dubbed Unfurling Hemlock using loaders and emails to drop binary files that act as a “cluster bomb,” spreading various malware strains at once.

Preventing FakeBat loader malware requires a multi-layered security approach. Users should avoid downloading software from untrusted sources and be cautious of unsolicited browser updates or software installers. Employing robust antivirus and anti-malware solutions with real-time scanning can help detect and block malicious downloads.