Understanding the Rise of FakeBat and Its Role in Drive-by Download Attacks


Over the past few years, cybercriminals have increasingly exploited the drive-by download technique to distribute malware via user web browsing. This technique often involves SEO-poisoning, malvertising, and code injection into compromised websites to deceive users into downloading fake software installers or browser updates.

The drive-by download technique is favored by multiple intrusion sets to distribute various types of malware, including loaders like FakeBat and BatLoader, botnets such as IcedID and PikaBot, infostealers like Vidar, Lumma, and Redline, post-exploitation frameworks like CobaltStrike and Sliver, and remote access trojans (RATs) such as NetSupport. Some of these attacks are orchestrated by Initial Access Brokers (IABs) and have facilitated the deployment of ransomware variants like BlackCat and Royal.

The Surge of FakeBat in 2024

In the first semester of 2024, FakeBat (also known as EugenLoader and PaykLoader) emerged as one of the most prevalent loaders employing the drive-by download technique. FakeBat primarily functions to download and execute subsequent payloads, including malware such as IcedID, Lumma, Redline, SmokeLoader, SectopRAT, and Ursnif.

The Sekoia Threat Detection & Research (TDR) team has been at the forefront of uncovering multiple FakeBat distribution campaigns throughout 2024. These campaigns typically utilize landing pages that impersonate legitimate software and are propagated via malvertising, fake web browser updates on compromised websites, and social engineering schemes on social networks. Moreover, TDR has diligently monitored the FakeBat command-and-control (C2) infrastructure to identify new C2 servers and modifications in FakeBat communications.

Inside the FakeBat Campaigns

Sekoia's FLINT report sheds light on the activities of FakeBat operators within cybercrime forums, providing an in-depth analysis of previously undocumented campaigns distributing FakeBat, and technical details on its distribution methods and related C2 infrastructures. Additionally, TDR analysts have shared valuable Indicators of Compromise (IoCs), YARA rules, and tracking heuristics to monitor FakeBat distribution and C2 infrastructures.

No comments:

Millions of mSpy Customer Records Compromised in Data Leak

  A major data leak exposed over 310 gigabytes of information from spyware developer mSpy, including 2.4 million unique email addresses. Thi...