Threat Research

FakeBat Malware Distributing via Fake Browser Updates

Esentire

eSentire’s TRU identified the FakeBat loader being distributed via compromised websites that inject JavaScript to display fake browser update prompts and fetch payload links from Pastebin and linked domains. The chain uses server-side visit counters, dynamic iframes, AMSI bypass code, and PHP redirects to deliver a signed MSIX payload which leads to RunPE-based execution and LummaC2 deployment. #FakeBat #PaykRunPE

Keypoints

  • Detected April 2024: FakeBat loader distributed through compromised sites with injected malicious JavaScript.
  • Infection vector: injected JS triggers fake browser update pages tailored to the user’s browser and language.
  • Server-side checks (“can(callback)”) and a visit counter (“sendUpdateCounterRequest()”) control whether the landing page is shown to evade detection.
  • Landing script dynamically inserts full-viewport iframes and fetches content from doggygangers[.]com or fallback srcdoc content.
  • Payload retrieval: PHP scripts (get_download_file_name.php → dwnl_standart[.]php) redirect to a signed MSIX (“UpdateSetup-x86”, MD5: 569d206636b75c33240ba4c1739c04d6).
  • Supporting infrastructure: links fetched from Pastebin and seacraftsgallery[.]com; Pastebin contains AMSI bypass code and author ties to previous FakeBat activity.
  • Post-delivery: MSIX installer leads to RunPE-style execution (Payk RunPE) that drops LummaC2 for command-and-control.

MITRE Techniques

  • [T1189] Drive-by Compromise – Compromised websites host injected JavaScript that triggers malicious behavior (“…injected malicious JavaScript that triggers fake browser update notifications…”)
  • [T1204] User Execution – Social-engineering via fake browser update prompts to induce users to run installers (“…misleading users into believing they need to install legitimate browser updates.”)
  • [T1105] Ingress Tool Transfer – Staged retrieval of payloads and links from Pastebin and linked domains, and PHP redirects to final payload (“…fetching malicious links directly from Pastebin and a linked domain…” / “…redirects the user to the final page serving FakeBat MSIX payload…”)
  • [T1027] Obfuscated Files or Information – Use of Base64-encoded strings and obfuscated script elements for logos and content delivery (“…logoSrc is obtained by decoding a Base64 string…”)
  • [T1562] Impair Defenses – AMSI bypass code is present in Pastebin to evade antimalware scanning (“…code to bypass AMSI…”)
  • [T1036] Masquerading – Use of a signed MSIX installer (signed by “Consoneai Ltd”) to appear legitimate (“…MSIX file is signed with ‘Consoneai Ltd’…”)
  • [T1055] Process Injection – Use of RunPE to execute/deliver payloads, where Payk RunPE drops LummaC2 (“…Payk RunPE dropping LummaC2.”)
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 activity implied via LummaC2 and web-based delivery channels (references to LummaC2 and web fetch/redirect flows)
  • [T1562] Defense Evasion – Server-side visit counter and conditional page display used to limit exposure and evade analysis (“…control the exposure of a malicious page based on a visit counter.”)

Indicators of Compromise

  • [Domain] hosting and delivery – doggygangers[.]com (landing/get_stats.php, /land/universal_land), seacraftsgallery[.]com
  • [File name] final payload – UpdateSetup-x86 (MSIX installer)
  • [File hash] MSIX payloads – 569d206636b75c33240ba4c1739c04d6 (UpdateSetup-x86), 06165e8da7bf1b22962c8272f19d707f (previous FakeBat MSIX)
  • [URL/Path] PHP delivery scripts – /YfMv2QsjpCQl845BWSYNfNOQitweyze_Z6lIlrRr43MRjX_HrM/stats/get_stats.php, /downloadsdownloadfile/dwnl_standart[.]php
  • [Pastebin/Handles] infrastructure and authorship – Pastebin link with AMSI bypass code and author handle “[email protected]” (linked to prior FakeBat payloads)
  • [IOC collection] full indicators – GitHub IOC list: https://github.com/esThreatIntelligence/iocs/blob/main/FakeBat/FakeBat_FakeUpdates_4-13-2024.txt

Compromised websites inject JavaScript that evaluates server-side flags (can(callback)) and visit counters (sendUpdateCounterRequest()) to decide whether to render a malicious landing page. When conditions permit, the script’s insertScript logic replaces or overlays the page with a full-viewport iframe (or srcdoc fallback) that serves a fake browser update tailored to the detected userAgent and language settings.

The landing script personalizes content by decoding Base64-encoded logo data and setting browser-specific text via replaceTextByLanguage(lang). It then fetches name and download details from server-side PHP endpoints (get_download_file_name.php → downloadsdownloadfile/dwnl_standart[.]php), which redirect to a signed MSIX installer (“UpdateSetup-x86”, MD5: 569d206636b75c33240ba4c1739c04d6). Supporting infrastructure includes Pastebin-hosted code (including AMSI bypass snippets) and linked domains such as doggygangers[.]com and seacraftsgallery[.]com.

Executing the MSIX results in a multi-stage dropper chain: the installer leads to RunPE-style execution (Payk RunPE), which in turn deploys the LummaC2 implant for command-and-control. Defensive observations include the use of AMSI bypass, obfuscation (Base64), signed installers to masquerade as legitimate software, and server-side evasion tactics (visit counters) to limit detection windows.

Read more: https://www.esentire.com/blog/fakebat-malware-distributing-via-fake-browser-updates

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint