The threat actor Eugenfest, aka Payk_34, has been distributing FakeBat via three different drive-by download campaigns on various social networks, using malvertising, fake web browser updates, and social engineering techniques.
This technique involves SEO poisoning, malvertising, and code injection into compromised websites, aiming to deceive users into downloading malicious software masquerading as legitimate applications or browser updates.
FakeBat, also known as EugenLoader or PaykLoader, has emerged as a significant player in the malware landscape. This loader primarily aims to download and execute various malicious payloads, including infostealers, botnets, remote access trojans (RATs), and post-exploitation frameworks. Notably, this loader has been used to distribute malware such as IcedID, Lumma, RedLine, SmokeLoader, SectopRat, and Ursnif.
Customers who purchase this service gain access to an administration panel that allows them to generate FakeBat builds, manage distributed payloads, and monitor installations. Researchers have also observed that this Malware-as-a-Service (MaaS) model also provides templates to trojanise legitimate software, enticing victims to execute FakeBat.
In September 2023, researchers discovered that FakeBat operators launched a new advertising campaign on cybercrime forums and Telegram channels, introducing MSIX as a new format for their malware builds. They also incorporated a digital signature with a valid certificate to bypass Microsoft SmartScren security features.
Since January 2024, numerous FakeBat malvertising campaigns using trusted advertising campaigns such as Google Ads have been displayed at the top of search engine results. These websites often mimic the official homepages or download pages of popular software. Victims are redirected to download FakeBat when they attempt to download software from these pages.
The software that the threat actors targeted includes:
- 1Password
- Advanced SystemCare
- AnyDesk
- Bandicam
- Blender
- Braavos
- Cisco Webex
- Epic Games
- Google Chrome
- Inkscape
- Microsoft OneNote
- Microsoft Teams
- Notion
- OBS Studio
- OpenProject
- Play WGT Golf
- Python
- Shapr3D
- Todoist
- Trading View
- Trello
- VMware
- Webull
- WinRAR
- Zoom
Researchers also uncovered a large infrastructure of over 120 compromised websites distributing FakeBat through fake web browser updates. These websites, typically WordPress-based, are injected with malicious HTML and JavaScript. Users are deceived into believing they need to update their Chrome browser, leading them to download FakeBat.
“These compromised websites are WordPress sites injected with malicious HTML and JavaScript designed to mislead users into thinking they need to update their Chrome browser due to a detected exploit,” explained researchers. “We believe that this number is underestimated, and it is likely that the infrastructure of compromised websites includes several thousands of WordPress sites.”
The third distribution cluster, discovered in May 2024, comprises a campaign targeting the Web3 community. Cybercriminals created a fake Web3 chat application called getmess[.]io using a dedicated website, verified social media profiles, and promotional videos. Access to the download URL required an invitation code, increasing the trustworthiness of the fake application and hiding the payload from bots and researchers.
The FakeBat infrastructure has been under close surveillance since December 2023. Initially, the PowerShell script used for communication with C2 servers was straightforward, but it became heavily obfuscated by December. The script ceased fingerprinting the infected host and communicated with C2 servers through new URL endpoints.
From December 2023 to March 2024, FakeBat used the URL endpoint “/check.php” for C2 communication. By March 2024, researchers discovered that the script communicated with C2 servers was using the endpoints “/profile/”, “/profile1/”, and later “/buy/”. These domains were hosted on specific IP addresses, and the operators anonymised Whois records for defence evasion.
Researchers have urged users to download software from trusted sources, install an antivirus solution on their computers, and never open any links on social media platforms.
In the News: Proton launches Docs, a secure alternative to Google Docs
