FakeBat (EugenLoader) is distributed via malvertising on Google and delivered as an MSI/MSIX package that embeds a malicious PowerShell script to fetch zgRAT and reach a C2. ThreatDown traces the infection chain from Google ad redirects to a Notion-like site, through a signed installer, PowerShell execution, payload download, and process injection, with multiple C2 domains involved. hashtags: #FakeBat #zgRAT #Notilion #Kazakhstan
Keypoints
- FakeBat (EugenLoader) is a malware loader delivered via social-engineering lures and malvertising, often associated with Google ads.
- The delivery chain uses a legitimate-looking MSIX installer (Notion-x86.msix) signed by Forth View Designs Ltd to conceal a malicious PowerShell script.
- The PowerShell script communicates with FakeBat’s C2 and retrieves a follow-up payload.
- zgRAT is loaded and injected into a process (AddInProcess.exe) for execution.
- The campaign employs an intermediary domain (sewaliftmaterial[.]com) to separate the malicious destination URL from the Google ad and the click tracker.
- ThreatDown identified multiple IOCs, including fake Notion site (notilion[.]co), the Notion-x86.msix installer, and several zgRAT C2 domains, along with the MSIX execution path.
MITRE Techniques
- [T1189] Drive-by Compromise – Malvertising leads to a Notion-like site delivering an MSIX payload and embedded PowerShell. “The infection chain starts with a malicious ad via a Google search for Notion, the popular utility program.”
- [T1059.001] PowerShell – The installer embeds a malicious PowerShell script that will execute the payload. “Unbeknownst to the victim, a malicious PowerShell is embedded into this installer and will execute the malicious payload”
- [T1105] Ingress Tool Transfer – The PowerShell flow downloads zgRAT payload during the process. “PowerShell downloading zgRAT payload:”
- [T1055] Process Injection – zgRAT is injected into AddInProcess.exe. “(zgRAT is injected into AddInProcess.exe)”
- [T1071.001] Web Protocols – The PowerShell script connects to the C2 at utm-adrooz[.]com. “The PowerShell script will connect to FakeBat’s command and control server (C2) located at utm-adrooz[.]com.”
- [T1562.001] Impair Defenses – Bypass Execution Policy to run PowerShell. “if((Get-ExecutionPolicy ) -ne ‘AllSigned’) { Set-ExecutionPolicy -Scope Process Bypass }”
Indicators of Compromise
- [Domain] Fake Notion website – notilion[.]co
- [Domain] C2 for FakeBat – utm-adrooz[.]com
- [Domain] zgRAT download host – startupzonechanpatia[.]com
- [Domain] Intermediary redirect – sewaliftmaterial[.]com
- [Domain] zgRAT C2s – shatterbreathepsw[.]shop, productivelookewr[.]shop, tolerateilusidjukl[.]shop, shortsvelventysjo[.]shop, incredibleextedwj[.]shop, alcojoldwograpciw[.]shop, liabilitynighstjsko[.]shop, demonstationfukewko[.]shop
- [File] MSIX installer – Notion-x86.msix
- [Hash] FakeBat – 80f4405270b8fd7f557c6831dd2785b55fdee43d48d967401a8b972e147be948
- [File] MSIX execution path – C:PROGRAM FILESWINDOWSAPPSNOTIONLAB.NOTION_2.0.47.1_X86__MRGZP1VAGPXMPAI_STUBSAISTUBX86.EXE
- [Hash] zgRAT – 5102b64a838bd84f4273bce2a0bda67df77fdb1a33a2b939988ccb51f2246e07
Read more: https://www.threatdown.com/blog/fakebat-05-05-2024/