The loader-as-a-service (LaaS) known as FakeBat has become one of the most popular loader malware families delivered via the drive-by download tactic this year, research from Sekoia indicate.
"FakeBat primarily aims to download and execute the next-stage payload, such as IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif," the firm claimed in a Tuesday report.
Drive-by assaults comprise the employment of tactics like search engine optimization (SEO) poisoning, malvertising, and illicit code injections into hacked sites to trick users into downloading fake software installers or browser upgrades.
The usage of malware loaders over the last several years dovetails with the increased use of landing pages imitating reputable software websites by passing them off as legal installers. This connects into the bigger fact that phishing and social engineering remain one of the threat actors' key tactics to get initial access.
FakeBat, also known as EugenLoader and PaykLoader, has been supplied to other cybercriminals on a LaaS subscription model on underground forums by a Russian-speaking threat actor dubbed Eugenfest (aka Payk_34) since at least December 2022.
The loader is intended to evade security systems and offers users with options to make builds using templates to trojanize legal software as well as track installs over time using an administrator panel.
While the older versions made use of an MSI format for the malware builds, current variants spotted after September 2023 have converted to an MSIX format and appended a digital signature to the installer with a valid certificate to evade Microsoft SmartScreen defenses.
The virus is offered for $1,000 per week and $2,500 per month for the MSI format, $1,500 per week and $4,000 per month for the MSIX format, and $1,800 per week and $5,000 per month for the combined MSI and signature bundle.
Sekoia claimed it discovered multiple activity clusters propagating FakeBat by three principal approaches: Impersonating popular software via malicious Google advertisements, phony web browser upgrades via hijacked sites, and social engineering tactics on social networks. This comprises campaigns possibly tied to the FIN7 gang, Nitrogen, and BATLOADER.
"In addition to hosting payloads, FakeBat [command-and-control] servers highly likely filter traffic based on characteristics such as the User-Agent value, the IP address, and the location," Sekoia stated. "This enables the distribution of the malware to specific targets."
The report comes as the AhnLab Security Intelligence Center (ASEC) documented a malware campaign spreading another loader termed DBatLoader (aka ModiLoader and NatsoLoader) via invoice-themed phishing emails.
It also follows the discovery of infection chains distributing Hijack Loader (aka DOILoader and IDAT Loader) via pirated movie download sites to finally transmit the Lumma information stealer.
"This IDAT Loader campaign is using a complex infection chain containing multiple layers of direct code-based obfuscation alongside innovative tricks to further hide the maliciousness of the code," Kroll researcher Dave Truman stated.
"The infection depended on leveraging Microsoft's mshta.exe to execute malware hidden deep inside a specially built file posing as a PGP Secret Key. The campaign makes use of innovative modifications of established methods and substantial obfuscation to disguise the malicious code from detection."
Phishing efforts have also been spotted spreading Remcos RAT, with a new Eastern European threat actor named Unfurling Hemlock utilizing loaders and emails to drop binary files that behave as a "cluster bomb" to distribute several malware strains at once.
"The malware being distributed using this technique is mostly comprised of stealers, such as RedLine, RisePro, and Mystic Stealer, and loaders such as Amadey and SmokeLoader," Outpost24 analyst Hector Garcia stated.
"Most of the first stages were detected being sent via email to different companies or being dropped from external sites that were contacted by external loaders."
