Threat Research

FakeBat campaign continues, now also targeting VMware users – ThreatDown by Malwarebytes

Securonix

ThreatDown researchers track a long-running FakeBat malvertising operation that now targets VMware users via Google search ads to deliver Windows and Mac info stealers. The attack chain relies on cloaking, traffic redirection, decoy sites, and signed installers to bypass defenses and exfiltrate data. #FakeBat #VMware #ThreatDown #AtomicStealer #RapportCreativeLtd

Keypoints

  • Malvertising campaigns impersonating known software are used to lure victims and leverage similar tactics across campaigns.
  • In the latest wave, the actor targets VMware users by buying Google search ads, exploiting brand impersonation.
  • The Windows payload (VMware-Setup.msix) is signed with a legitimate certificate and uses a simple PowerShell one-liner to reach a C2 server.
  • The Mac payload is a macOS stealer delivered alongside a VMware.dmg, with user interaction prompting elevated privileges to access cookies and credentials.
  • Traffic redirection and cloaking are used to bypass sandboxes, with intermediary sites filtering traffic and routing targets to legitimate VMware pages.
  • Decoy sites and a long-running campaign indicate partnerships with various malware distributors and a broader malvertising operation tracked by ThreatDown.

MITRE Techniques

  • [T1189] Drive-by Compromise – Malicious ads masquerade as legitimate brands and deliver payloads; as described, “the ad contains a final URL which is legitimate (in this case vmware.com), but also an intermediary one that will reroute traffic on a per case basis.”
  • [T1027] Obfuscated/Compressed Files and Information – The campaign relies on tracking templates and “cloaking” to evade detection, bypassing typical sandboxes and crawlers with traffic tricks like per-case redirection.
  • [T1218] Signed Binary Proxy Execution – The Windows MSIX installer is “digitally signed with a valid certificate for Rapport Creative Ltd.”
  • [T1059.001] PowerShell – The Windows payload uses a simple PowerShell command, and the description notes: “the installer … contains a malicious PowerShell” and “a simple one liner pointing to the command and control server (utm-adsname[.]com).”
  • [T1204.002] User Execution – On macOS, users are prompted after right-clicking the VMware icon: “They are instructed to right click on the VMware icon, followed immediately by a system prompt asking for their password.”
  • [T1071] Application Layer Protocol – The Mac and Windows exfiltration and C2 communications use web-based channels, with C2 domain utm-adsname[.]com and data exfil via HTTP POST: “data is then immediately sent back to the threat actor in a single POST request.”
  • [T1056] Input Capture? (Note: referenced as credential/data theft on macOS) – The macOS stealer grabs “cookies, and any other credentials,” indicating credential theft targeting browser data.
  • [T1041] Exfiltration – Exfiltrated data is sent back in a POST request to the threat actor’s domain: “a Base64 encoded blurb” decoded into a PK file containing stolen user information.

Indicators of Compromise

  • [Domain] Intermediary infrastructure (redirects) – vmwareai[.]onelink[.]me, nogyr[.]net, sweryeervx[.]onelink[.]me, hcointelegraph[.]com, and other redirects
  • [Domain] Decoy domains – todoist[.]labsapp[.]org, vmvarehome[.]com, slackappwork[.]com, warebroadcom[.]com, labsapp[.]org, trellmessage[.]net, taxblock[.]org, appcalendle[.]com, derproject[.]org, appbitget[.]com, wardenhome[.]net, whatstationapp[.]com, whatstationapp[.]net, techgplus[.]com, techghub[.]com, onepasswordapp[.]com, appfeatured[.]com, doublerwork[.]com, bit[.]wardenhome[.]net, notsworks[.]net, yachting-world[.]org, caldenry[.]com, calendar[.]oandasapp[.]com, oandasapp[.]com, shophome[.]com, notsworks[.]com, notion[.]soapp[.]me, asana[.]currencyapp[.]net, currencyapp[.]net, blen[.]derproject[.]org, camsaction[.]com, bitbuck[.]onepasswordapp[.]com, figma[.]appbitget[.]com, todoist[.]techghub[.]com, deskhomes[.]com, calendars[.]techgplus[.]com, bigbacket[.]org, trade[.]doublerwork[.]com, zen[.]deskhomes[.]com
  • [URL] FakeBat download redirects – vmvarehome[.]com/download/win[.]php, vmvarehome[.]com/download/vmware[.]php
  • [URL] FakeBat download URLs – deskhomes[.]com/VMware-Setup[.]msix
  • [Hash] FakeBat MSIX – 6e0179344ca0bbc42dce77027f5a6a049844daf34595fd184d9f094e8c74325c
  • [Domain] FakeBat C2 – utm-adsname[.]com
  • [URL] macOS stealer download URLs – vmvarehome[.]com/download/mac[.]php, gruntworth[.]com/databack/vmware[.]php, gruntworth[.]com/databack/script_661f3f330b66d1[.]91104491[.]php
  • [Hash] macOS stealer – 81021d858eb78e86f7f9fc7a2ee8e240d19ffe66437002aa5859274ae59dafe7
  • [IP] macOS stealer C2 – 193.233.132[.]168/joinsystem

Read more: https://www.threatdown.com/blog/fakebat-campaign-continues-now-also-targeting-vmware-users/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint