Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,178
- Points
- 113
The fake FakeBat software, distributed using the drive-by download technique, has become one of the most common malware programs of this year, Sekoia reports in a recent report.
FakeBat is designed to download and execute the next stage of malware such as IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif. Malware is spread through methods such as SEO Poisoning, malicious advertising, and code injection on compromised sites to force users to download fake installers or browser updates.
In recent years, the proliferation of malware loaders has increased due to the use of fake pages that mimic legitimate software. Phishing and social engineering remain the main methods that attackers use to gain initial access.
FakeBat, also known as EugenLoader and PaykLoader, is being sold on underground forums using the LaaS (Loader-as-a-Service) model from December 2022. This loader is designed to bypass security mechanisms and allows users to create assemblies using templates to Trojan legitimate software. It also provides the ability to monitor installations via the admin panel.
If in earlier versions of FakeBat, hackers used mainly the MSI format to create malware, then from September 2023 they switched to the MSIX format and added a digital signature with a valid certificate to bypass the protection of Microsoft SmartScreen.
The cost of using FakeBat is quite impressive:
* $1,000 per week and $2,500 per month for the MSI format;
* $1,500 per week and $4,000 per month for the MSIX format;
* $1,800 per week and $5,000 per month for a digitally signed package.
Sekoia discovered several ways to spread FakeBat: through fake Google ads, fake browser updates on compromised sites, and social media social engineering schemes. Such cybercrime groups as FIN7, Nitrogen and BATLOADER are involved in campaigns using FakeBat. FakeBat's C2 servers filter traffic based on characteristics such as User-Agent, IP address, and location, allowing malware to target specific targets.
The findings of Sekoia experts were published simultaneously with the report of the AhnLab Security Center (ASEC) about a campaign to distribute another loader — DBatLoader through phishing emails on the subject of invoices. A chain of infections was also identified that distributes Hijack Loader through sites with pirated movies, which eventually installs the Lumma malware.
• Source: https://asec.ahnlab.com/en/67468/
• Source: https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/
FakeBat is designed to download and execute the next stage of malware such as IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif. Malware is spread through methods such as SEO Poisoning, malicious advertising, and code injection on compromised sites to force users to download fake installers or browser updates.
In recent years, the proliferation of malware loaders has increased due to the use of fake pages that mimic legitimate software. Phishing and social engineering remain the main methods that attackers use to gain initial access.
FakeBat, also known as EugenLoader and PaykLoader, is being sold on underground forums using the LaaS (Loader-as-a-Service) model from December 2022. This loader is designed to bypass security mechanisms and allows users to create assemblies using templates to Trojan legitimate software. It also provides the ability to monitor installations via the admin panel.
If in earlier versions of FakeBat, hackers used mainly the MSI format to create malware, then from September 2023 they switched to the MSIX format and added a digital signature with a valid certificate to bypass the protection of Microsoft SmartScreen.
The cost of using FakeBat is quite impressive:
* $1,000 per week and $2,500 per month for the MSI format;
* $1,500 per week and $4,000 per month for the MSIX format;
* $1,800 per week and $5,000 per month for a digitally signed package.
Sekoia discovered several ways to spread FakeBat: through fake Google ads, fake browser updates on compromised sites, and social media social engineering schemes. Such cybercrime groups as FIN7, Nitrogen and BATLOADER are involved in campaigns using FakeBat. FakeBat's C2 servers filter traffic based on characteristics such as User-Agent, IP address, and location, allowing malware to target specific targets.
The findings of Sekoia experts were published simultaneously with the report of the AhnLab Security Center (ASEC) about a campaign to distribute another loader — DBatLoader through phishing emails on the subject of invoices. A chain of infections was also identified that distributes Hijack Loader through sites with pirated movies, which eventually installs the Lumma malware.
• Source: https://asec.ahnlab.com/en/67468/
• Source: https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/
