FakeBat Loader Malware Becomes #1 Cyberthreat in 2024, Continues to Spread through Drive-by Downloads

by
Krishi Chowdhary
from Techreport on (#6NZXN)
michael-geiger-JJPqavJBy_k-unsplash-1_cr
  • Sekoia Threat Detection & Research (TDR) conducted research on FakeBat-a malicious software loader and dropper-and found it to be one of the biggest cyberthreats of the first half of 2024.
  • It targets victims by either imitating a legitimate website, compromising a website, or through social engineering schemes on social networks.
  • The worst part is that this malware is being distributed as a loader-as-a-service (LaaS) subscription model, meaning more cybercriminals, including the entry-level ones, are gaining access to it.

michael-geiger-JJPqavJBy_k-unsplash-1_cr

FakeBat, which is also known as PaykLoader and EugenLoader, has emerged to be one of the most dangerous cyberthreats in the first half of 2024.

The campaign involves drive-by downloads, which is a technique that involves malvertising, SEO poisoning, and inserting malicious code into websites that have been compromised. Users are then tricked into downloading the malware in the disguise of a fake update or app.

Read more: Biggest cyberattacks of 2023 and what caused them

About FakeBat and Its Growing Terror

Sekoia Threat Detection & Research (TDR) conducted research and found that throughout 2024, there have been multiple FakeBat distribution campaigns. This cyberthreat's latest victims include AnyDesk and Google Chrome.

It tricks users via three methods:

  • By imitating a real website,
  • By compromising an actual legit website, or
  • Through social engineering schemes on social networks

Then, it downloads the next-stage payload, such as Lumma, IcedID, SmokeLoader, RedLine, SectopRAT, and Ursni.

FakeBat's servers are also believed to filter traffic based on location, IP address, and user-agent value so that they can target a specific audience.

During research, Sekoia also found that certain domains linked to FakeBat's command-and-control (C2) servers, including 756-ads-info[.]site, 3010cars[.]top and 0212top[.]online, are often registered under concealed or misleading details regarding ownership.

These domains are the main drivers behind malware distribution. Moreover, these distribution strategies are so diverse that FakeBat has managed to evade detection for a really long time.

What's worse is that FakeBat is being offered to other cybercriminals as a loader-as-a-service (LaaS) subscription model on dark web forums designed by a Russia-based threat actor called Eugenfest (aka Payk_34).

Unfortunately, using the loader is quite simple, too. It has templates that can be used by hackers to generate builds, which would help them compromise legit websites as well as monitor their installations through an administration panel.

The service is available at $1,000 per week (or $2,500 per month) for the MSI format (MSI is its previous version) and $1,500 per week (or $4,000 per month) for the MSIX format (the newest version). Furthermore, a combination of MSI and the signature package is available at $1,800 per week (or $5,000 per month).

The post FakeBat Loader Malware Becomes #1 Cyberthreat in 2024, Continues to Spread through Drive-by Downloads appeared first on The Tech Report.

External Content
Source RSS or Atom Feed
Feed Location https://techreport.com/feed/
Feed Title Techreport
Feed Link https://techreport.com/
Reply 0 comments