close
close

Three FakeBat campaigns exploit drive-by vulnerabilities for distribution

Posted on by darion

The attacking Eugenfest virus, also known as Payk_34, distributed FakeBat via three different drive-by download campaigns on different social networks, using malicious ads, fake web browser updates, and social engineering techniques.

This technique involves SEO poisoning, malvertising, and code injection into infected websites. The goal is to trick users into downloading malware disguised as legitimate applications or browser updates.

FakeBat, also known as EugenLoader or PaykLoader, has become a significant player in the malware landscape. This loader is primarily designed to download and execute various malicious payloads, including infostealers, botnets, Remote Access Trojans (RATs), and post-exploitation frameworks. It is worth noting that this loader has been used to distribute malware such as IcedID, Lumma, RedLine, SmokeLoader, SectopRat, and Ursnif.

Customers who purchase this service gain access to an administrative panel that allows them to generate FakeBat builds, manage distributed payloads, and monitor installations. Researchers have also observed that this Malware-as-a-Service (MaaS) model also provides templates for Trojanizing legitimate software, encouraging victims to execute FakeBat.

In September 2023, researchers discovered that FakeBat operators had launched a new advertising campaign on cybercrime forums and Telegram channels, introducing MSIX as a new format for their malware builds. They also included a digital signature with a valid certificate to bypass Microsoft SmartScren security features.

Since January 2024, numerous FakeBat advertising campaigns using trusted advertising campaigns such as Google Ads have been displayed at the top of search results. These websites often mimic the official homepages or download pages of popular software. Victims are redirected to download FakeBat when they try to download software from these pages.

Malicious AnyDesk site posing as a genuine one. Note the domain name: amydlesk.com | Source: Sekoia

Software that has been targeted by cybercriminals includes:

  • 1Password
  • Advanced SystemCare
  • AnyDesk
  • Bandicam
  • Mixer
  • Braavos
  • Cisco Webex
  • Epic games
  • Google Chrome
  • Inkscape
  • Microsoft OneNote
  • Microsoft Teams
  • Concept
  • Studio OBS
  • Open project
  • Play WGT Golf
  • Python
  • Shapr3D
  • Todoist
  • Commercial View
  • Trello
  • Software
  • Bull
  • WinRAR
  • Magnification

Researchers also discovered a large infrastructure of over 120 infected websites that distribute FakeBat via fake browser updates. These websites, usually based on WordPress, are injected with malicious HTML and JavaScript code. Users are tricked into believing they need to update their Chrome browser, leading them to download FakeBat.

One of the 120 infected websites distributing FakeBat. | Source: Sekoia

“These compromised sites are WordPress sites that have been injected with malicious HTML and JavaScript code, designed to mislead users into thinking they need to update their Chrome browser due to a discovered exploit,” the researchers explained. “We believe this number is an underestimate, and it is likely that the compromised site infrastructure includes several thousand WordPress sites.”

Malicious Web3 Chat App Website | Source: Sekoia

The third distribution cluster, discovered in May 2024, involves a campaign targeting the Web3 community. Cybercriminals created a fake Web3 chat app called getmess(.)io using a dedicated website, verified social media profiles, and promotional videos. Access to the download URL required an invitation code, which increased the credibility of the fake app and hid the payload from bots and researchers.

The FakeBat infrastructure has been under heavy scrutiny since December 2023. Initially, the PowerShell script used to communicate with C2 servers was simple, but by December it had been heavily obfuscated. The script stopped fingerprinting the infected host and communicated with C2 servers via new URL endpoints.

From December 2023 to March 2024, FakeBat used the URL endpoint “/check.php” for C2 communication. In March 2024, researchers discovered that the script communicating with C2 servers used the endpoints “/profile/”, “/profile1/”, and later “/buy/”. These domains were hosted on specific IP addresses, and the operators anonymized the Whois records to avoid defenses.

Researchers urge users to download software from trusted sources, install antivirus software on their computers and never open any links on social media.

In news: Proton Launches Docs, a Secure Alternative to Google Docs