Malware, Endpoint/Device Security

Drive-by download attacks leveraged for FakeBat loader deployment


Threat actors have utilized several drive-by download attack techniques to facilitate the deployment of the FakeBat loader-as-a-service, also known as PaykLoader and EugenLoader, The Hacker News reports.

Aside from leveraging malvertising aimed at Microsoft Teams and OneNote, AnyDesk, Google Chrome, and other widely used software, attackers also sought to spread FakeBat via social networking-based social engineering tactics and fraudulent web browser updates, an analysis from Sekoia revealed. Further analysis of FakeBat, which has been used to deliver the Lumma, RedLine, IcedID, SectopRAT, Ursnif, and RedLine payloads, showed the loader's transition to the new MSIX format and inclusion of a digital signature meant to evade Microsoft SmartScreen defenses. "In addition to hosting payloads, FakeBat [command-and-control] servers highly likely filter traffic based on characteristics such as the User-Agent value, the IP address, and the location. This enables the distribution of the malware to specific target," said Sekoia. Such findings follow Kroll report detailing the use of pirated movie download sites to distribute Hijack Loader and eventually deploy the Lumma infostealer.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.