Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Fake-Bat Loaders. Show all posts

Exploring Fake-Bat Loaders: Distribution Tactics and Cybercrime Networks

 


There has been a significant increase in the number of threats exploiting the drive-by-download method during the first half of 2024, such as the FakeBat loader, formerly EugenLoader or PaykLoader. There has been an increasing emphasis on using this method in the past few years by cyber criminals to spread malware by infecting unsuspecting users while browsing the web. 

A drive-by download is a technique that uses tricks like SEO poisoning, malvertising, and injecting malicious code on websites that have been compromised to promote the download. By using these methods, users are tricked into downloading fake software or updates. As a result, they unwittingly install malware like loaders (such as FakeBat, BatLoader), botnets (such as IcedID, PikaBot) and others. As of right now, video games are usually RPGs (role-playing games) in which players get to immerse themselves in stories or adventure-based adventure games where they take part in some sort of combat. 

It is worth noting, however, that there's a fascinating niche of games that focus on hacking and cybersecurity. These video games allow players to embody the role of hackers, as they simulate hacking and coding terms. There will be a variety of hacking activities that players can get involved in, ranging from breaking into secure networks to creating complex scripts, all while navigating different scenarios and objectives throughout the game. As a result of drive-by-downloads, cybercriminals have been increasingly making use of these methods to upload malware to users' computers via their browsers during recent years. 

To use this technique, you will generally have to poison search engine results, run malicious ads, and inject code into compromised websites to trick users into downloading fake software installers or browser updates that are harmful to their computers. The drive-by download technique is commonly used by multiple intrusion sets to distribute loaders (such as FakeBat, BatLoader), botnets (such as IcedID, PikaBot), information stealers (such as Vidar, Lumma, Redline), post-exploitation frameworks (such as CobaltStrike, Sliver) and reconnaissance systems (such as NetSupport), among many others.

Based on some observations, some of these attacks have been conducted by Initial Access Brokers (IABs) that have resulted in the deployment of ransomware (BlackCat, Royal) in several networks. In the early part of 2024, one of the most popular drive-by-download loaders used to load files was FakeBat (also known as EugenLoader, PaykLoader) which was one of the most widely used loaders. There are many threats out there, including fake bats that are designed to download and execute payloads in a later stage, such as IcedID, Lumma, Redline, SmokeLoader, SectopRAT, and Ursnif. Sekoia Threat Detection & Research (TDR) team was able to discover numerous campaigns distributing FakeBats in 2024 due to its ongoing research. 

Malvertising campaigns are commonly used in these campaigns because they employ landing pages that impersonate legitimate software. They engage in bad-faith web browser updates on compromised websites as well as social engineering schemes through social networking sites. The TDR team kept a close eye on the FakeBat C2 infrastructure to know when new C2 servers were being added and when operations within FakeBat were changing. There is a specific purpose of this FLINT which is to present the activities of the FakeBat operators on cybercrime forums, to analyze campaigns that distributed FakeBat in previously undocumented ways, to provide technical details regarding its distribution campaigns, and to describe its related C2 infrastructure. 

The TDR analysts also share several indicators of compromise (IoCs), YARA rules, as well as heuristics that can be used to detect and track FakeBat distribution and C2 infrastructures to monitor them. On the Exploit forum, Eugenfest (aka Payk_34), a threat actor that has been selling Loader-as-a-Service under the guise of FakeBat, has been selling it at least since December 2022. According to the company's representative, FakeBat comes in the form of a loader malware packaged in MSI format, which is advertised as having "several anti-detection features, such as bypassing Google's Unwanted Software Policy and Windows Defender's alerts and being protected from VirusTotal detection". 

 In recent developments, the Malware-as-a-Service (MaaS) known as FakeBat has emerged as a notable threat, providing tools to Trojanize legitimate software. This tactic aims to deceive potential victims into unwittingly executing the malicious code. The operational framework of FakeBat includes an administration panel equipped with detailed information about infected hosts, encompassing IP addresses, geographic locations, operating systems, web browsers, simulated software identities, and installation statuses. 

Notably, clients utilizing FakeBat can append comments to each bot entry, enhancing management and operational insights. September 2023 marked a significant expansion for FakeBat operators, who launched an aggressive advertising campaign across cybercrime forums and Telegram channels. This initiative introduced MSIX as a novel format for deploying malware builds. Additionally, to circumvent Microsoft SmartScreen security protocols, the operators began embedding a digital signature within the FakeBat installer, backed by a legitimate certificate. This signature is featured prominently in the MSIX format and is optionally available for MSI formats, bolstering the malware's perceived legitimacy and evasive capabilities. 

FakeBat maintains its leadership position in 2024 by employing a diverse array of distribution methods. These include masquerading as legitimate software sites and compromising web domains by injecting malicious code. Notably, cybersecurity firm Sekoia has identified several domains associated with FakeBat's command-and-control (C2) infrastructure, such as 0212top[.]online, 3010cars[.]top, and 756-ads-info[.]site. These domains are frequently registered under obscured or misleading ownership details, underscoring FakeBat's adaptability and the evolving landscape of cyber threats. The malware employs deceptive strategies to proliferate, such as fake software update campaigns. 

Sekoia's investigations have uncovered instances where FakeBat mimicked updates for popular applications like AnyDesk and Google Chrome. Users are led to download malware under the guise of legitimate updates, illustrating the loader's sophisticated methods of system infiltration. Furthermore, FakeBat is recognized for its proficiency in drive-by download attacks, leveraging these tactics to evade detection and exploit system vulnerabilities effectively. In conclusion, FakeBat's expansive distribution strategies and continual evolution highlight its prominence in the realm of cybercrime, underscoring the persistent challenges faced by cybersecurity professionals in combating such threats.