Recent findings have revealed that the Loader-as-a-Service (LaaS), known as FakeBat, is now one of the most widespread malware families in the world. The FakeBat malware uses the drive-by download malware technique as a distribution to compromise targets. In this article, we’ll learn more about the FakeBat malware and the threats it entails.

Understanding Drive-by Download FakeBat Malware Attacks

Sekoia, in their findings, have stated that “FakeBat primarily aims to download and execute the next-stage payload, such as IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif.”

To further comprehend drive-by attacks used in distributing the FakeBat malware, one must know that this technique entails the use of methods such as search engine optimization (SEO) poisoning.

Some other techniques that are also used include malvertising and malicious code injections into compromised sites. The aim of these techniques is to get targeted users to download bogus software or browser updates.

These social engineering tactics are one of the main ways threats actors acquire initial access. The FakeBat malware loader has been designed to bypass security mechanisms. Such capabilities enable threat actors in trojanizeing software and monitoring installations.

Loader-as-a-Service (LaaS) Availability

The Loader-as-a-Service (LaaS) FakeBat malware loader, also known as EugenLoader and PaykLoader, can be availed by cybercriminals on subscription-based models. Cybercriminals can precure it on underground forums from a Russian-speaking threat actor going by the name of Eugenfest.

It’s worth mentioning here that this loader has been made available since December 2022. Reports have mentioned that pricing for the FakeBat malware loader is done based on the format and is:

• $1,000 per week and $2,500 per month for the MSI format.
• $1,500 per week and $4,000 per month for the MSIX format.
• $1,800 per week and $5,000 per month for the combined MSI and signature package.

Fake Software Installers As Distribution Mediums

Clusters disseminating the FakeBat malware use three primary approaches, including fake web browser updates through compromised online platforms, social engineering schemes, and impersonating popular software. The report from Sekoia, shedding light on the loader’s capabilities, further states that:

“In addition to hosting payloads, FakeBat [command-and-control] servers highly likely filter traffic based on characteristics such as the User-Agent value, the IP address, and the location. This enables the distribution of the malware to specific targets.”

It’s worth mentioning here that the disclosure of the FakeBat malware comes in light of the AhnLab Security Intelligence Center (ASEC) detailing a malware campaign that distributed another loader: DBatLoader. This loader was distributed using invoice-themed phishing emails.

In addition, it also follows the identification of infection chains linked to the Hijack Loader. This loader was distributed via pirated movie sites and ultimately aimed to deliver the Lumma information stealer.

Conclusion

The rise of FakeBat malware highlights the evolving tactics of cybercriminals and the persistent threat of drive-by downloads. The collaboration between cybersecurity firms and law enforcement is crucial in combating these sophisticated threats. Continued vigilance and proactive security are essential to safeguarding the digital landscape from malicious actors and their ever-advancing techniques.

The sources for this piece include articles in The Hacker News and SC Magazine.

The post Drive-by Download Attacks Become Distribution Medium For FakeBat Malware appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/drive-by-download-attacks-become-distribution-medium-for-fakebat-malware/