Cybersecurity researchers have uncovered a surge in malware infections stemming from malvertising campaigns distributing a loader called FakeBat.
“These attacks are opportunistic in nature, targeting users seeking popular business software,” the Mandiant Managed Defense team said in a technical report. “The infection utilizes a trojanized MSIX installer, which executes a PowerShell script to download a secondary payload.”
FakeBat, also called EugenLoader and PaykLoader, is linked to a threat actor named Eugenfest. The Google-owned threat intelligence team is tracking the malware under the name NUMOZYLOD and has attributed the Malware-as-a-Service (MaaS) operation to UNC4536.
Attack chains propagating the loader malware make use of drive-by download techniques to push users searching for popular software toward bogus lookalike sites that host booby-trapped MSI installers. Some of the malware families delivered via FakeBat include IcedID, RedLine Stealer, Lumma Stealer, SectopRAT (aka ArechClient2), and Carbanak, a malware associated with the FIN7 cybercrime group.
“UNC4536’s modus operandi involves leveraging malvertising to distribute trojanized MSIX installers disguised as popular software like Brave, KeePass, Notion, Steam, and Zoom,” Mandiant said. “These trojanized MSIX installers are hosted on websites designed to mimic legitimate software hosting sites, luring users into downloading them.”
What makes the attack notable is the use of MSIX installers disguised as Brave, KeePass, Notion, Steam, and Zoom, which have the ability to execute a script before launching the main application by means of a configuration called startScript.
UNC4536 is essentially a malware distributor, meaning FakeBat acts as a delivery vehicle for next-stage payloads for their business partners, including FIN7.
“NUMOZYLOD gathers system information, including operating system details, domain joined, and antivirus products installed,” Mandiant said. “In some variants, it gathers the public IPv4 and IPv6 address of the host and sends this information to its C2, [and] creates a shortcut (.lnk) in the StartUp folder as its persistence.”
The disclosure comes a little over a month after Mandiant also detailed the attack lifecycle associated with anther malware downloader named EMPTYSPACE (aka BrokerLoader or Vetta Loader), which has been used by a financially motivated threat cluster dubbed UNC4990 to facilitate data exfiltration and cryptojacking activities targeting Italian entities.