Mandiant’s Managed Defense division recently tracked a rise in malware infections linked to a malicious advertisement campaign promoting a loader called FakeBat. This campaign seemingly targets individuals seeking credible business software, exploiting their trust and unawareness to propagate the malware.
The malware utilizes a compromised version of the MSIX installer, running a PowerShell script to download a second payload. This loader, also known under the names EugenLoader and PaykLoader, is tied to a malicious entity named Eugenfest, codenamed NUMOZYLOD by Google’s criminal intelligence team.
This malware employs drive-by download techniques, redirecting individuals searching for well-known software to deceptive mirror sites hosting harmful MSI installers. Recognized malware strains, including IcedID, RedLine Stealer, Lumma Stealer, SectopRAT, and Carbanak are believed to be distributed by this cybercrime syndicate.
The Mandiant report reveals that UNC4536 leverages malvertising to disseminate trojanized MSIX installers disguised as popular software. Trusted brands like Brave, KeePass, Notion, Steam, and Zoom have been imitated in this scheme.
Tracking FakeBat malware’s increased infection
On downloading, these fraudulent installers allow UNC4536 to deploy further destructive payloads to the users’ devices.
What sets this attack apart is the use of MSIX installers pretending to be legitimate software. They contain the capability to execute a script before triggering the main application. Importantly, UNC4536 operates as a malware distributor, using FakeBat to deliver ensuing payloads for its business associates, such as FIN7.
Finally, Mandiant has unveiled the operational tactics of the potential NUMOZYLOD malware. It collects comprehensive system information, which is then sent back to its command and control center. Moreover, this malware sustains its presence on the system by creating a shortcut in the StartUp folder. This follows another recent Mandiant revelation regarding an attack cycle involving the EMPTYSPACE malware downloader, which primarily targeted Italian organizations.
