FakeBat Loader: Distribution Tactics And Infrastructure
FakeBat specializes in downloading and executing subsequent payloads such as IcedID, Lumma, Redline, and others.
Ashish Khaitan July 3, 2024
Share on LinkedInShare on Twitter
In the first half of 2024, the FakeBat loader, also known as EugenLoader or PaykLoader, emerged as a prominent threat leveraging the drive-by download technique. This method has increasingly been adopted by cybercriminals to spread malware through unsuspecting users’ web browsing activities.
Drive-by downloads involve techniques like SEO poisoning, malvertising, and injecting malicious code into compromised websites. These methods deceive users into downloading fake software or updates, inadvertently installing malware like loaders (e.g., FakeBat, BatLoader), botnets (e.g., IcedID, PikaBot), and more.
The FakeBat Loader Campaigns
FakeBat specializes in downloading and executing subsequent payloads such as IcedID, Lumma, Redline, and others. It operates as a Malware-as-a-Service (MaaS), offering an administration panel to manage payload distribution, installation monitoring, and evasion of detection mechanisms like Google’s Unwanted Software Policy and Windows Defender alerts.
Throughout 2024, Sekoia Threat Detection & Research (TDR) identified multiple FakeBat distribution campaigns. These FakeBat loader campaigns utilize diverse tactics, including fake websites that mimic popular software download pages to lure users into downloading FakeBat disguised as legitimate software.
“The FakeBat administration panel contains information related to the infected host, including the IP address, country, OS, web browser, mimicked software, and installation status. Customers can also write comments for each bot”, says Sekoia.io.
The threat actor behind this campaign also uses fake web browser updates to compromise websites to inject code that prompts users to update their browsers with malicious installers. Social engineering is another concerning threat as hackers can target communities like web3 with fake applications and use social media platforms to distribute FakeBat.
Sekoia analysts meticulously tracked FakeBat’s Command-and-Control (C2) infrastructure. Over the period from August 2023 to June 2024, they identified several C2 servers hosting FakeBat payloads and observed changes in their operational tactics. These servers often employ tactics to evade detection, such as filtering traffic based on User-Agent values and IP addresses.
Features and Capabilities of FakeBat Loader
FakeBat, a prominent leader in 2024, employs various distribution methods such as mimicking legitimate software sites and compromising websites with injected malicious code. Sekoia identified domains associated with FakeBat’s command-and-control (C2) servers, including 0212top[.]online, 3010cars[.]top, and 756-ads-info[.]site, often registered under obscured or misleading ownership details.
These domains facilitate the malware’s distribution, highlighting its adaptability and the evolving nature of cyber threats. FakeBat spreads through tactics like fake software updates, with Sekoia uncovering instances targeting applications like AnyDesk and Google Chrome. Users are redirected to download malware disguised as legitimate updates, demonstrating the loader’s deceptive tactics to infiltrate systems.
As a significant player in drive-by download attacks, FakeBat’s diverse distribution strategies highlight its ability to evade detection and exploit vulnerabilities.