A malvertising campaign is behind a surge in FakeBat malware infections, according to researchers at Google’s Mandiant. FakeBat is a malware loader that is offered to other cybercriminals under the malware-as-a-service model. Once infected with FakeBat, system information is gathered and exfiltrated to its command-and-control server, and if the victim is of interest to the threat actor’s business partners, they can use FakeBat to download their own payloads onto an infected device. FakeBat, also known as EugenLoader, has fast become a major player among cyber threats with infections increasing significantly in recent months due to the ability of the malware to evade security solutions and hide the additional payloads it delivers.
FakeBat malware is primarily distributed via malvertising and drive-by downloads. Malvertising is the name given to malicious adverts that trick Internet users into downloading malicious software. Malicious adverts are created on online advertising platforms such as Google Ads, and the adverts then appear prominently at the top of search engines for certain search terms. They often catch unwary Internet users who fail to check the URL they are directed to after clicking an advert. Google has numerous safeguards in place to thwart attempts by threat actors to upload malicious adverts to its platform, but threat actors can bypass those security controls. Malicious adverts may also appear in the third-party ad blocks that many website owners add to their sites to generate additional revenue. The domains used for these scams can be convincing, as they often closely resemble the domain name of the legitimate software provider.
Drive-by downloads of malware can occur on many different websites, including attacker-owned domains and compromised sites. Websites may be created for the sole purpose of delivering malware, with black hat search engine optimization (SEO) techniques used to get web pages to appear high in the search engine listings for certain search terms. Cybercriminals may also compromise legitimate websites by exploiting vulnerabilities and then create new web pages on those sites for malware distribution. These sites often contain JavaScript that runs when a user lands on the site and generates a fake security warning, such as an alert that malware has been detected on their device. Software is offered to remove the malware, but downloading the installer will result in malware being installed.
These approaches are often used to target company employees, with adverts and malicious web pages offering popular software downloads. The adverts and websites are carefully crafted to make the user believe they are downloading the genuine software they seek. Oftentimes, the adverts and websites provide legitimate software; however, the installers also side-load malware. These malware infections often go unnoticed since the user gets the software they are expecting.
The malvertising campaigns that deliver FakeBat malware use signed MSIX installers that impersonate popular software products such as WinRAR, the password software KeePass, the gaming platform Steam, the video conferencing platform Zoom, and web browsers such as Brave. Malware known to be delivered by FakeBat includes information stealers (e.g. Redline Stealer, Lumma Stealer), banking trojans (e.g. IcedID), Remote access Trojans (e.g. SectopRAT), and more. The threat actor is also known to use phishing to distribute FakeBat malware.
Businesses should ensure they take steps to prevent malware infections via malvertising and drive-by downloads, as a single mistake by an employee can result in a costly malware infection and data breach and could potentially also lead to a ransomware attack and significant data loss.
TitanHQ offers cybersecurity solutions that offer multiple layers of protection against malware infections. Since these campaigns trick employees into installing malware, one of the best defenses is to provide comprehensive security awareness training. TitanHQ’s SafeTitan security awareness training platform makes it easy for businesses to improve the security awareness of their workforce by eradicating risky behaviors and teaching employees how to recognize, avoid, and report threats. The platform also includes a phishing simulator to test employees’ skills at identifying phishing attempts with training content automatically generated in response to simulation failures.
Technical defenses are also important to prevent employees from visiting malicious websites. The WebTitan DNS filter is a powerful tool for carefully controlling access to websites. WebTitan blocks access to all known malicious sites and can be configured to block certain file downloads from the Internet, such as MSIX installers. TitanHQ’s SpamTitan cloud-based spam filter and the PhishTitan anti-phishing solution provide cutting-edge protection against phishing attempts. The engine that powers these solutions has been independently tested and demonstrated to block 100% of known malware. SpamTItan also includes email sandboxing for identifying malware by its behavior, in addition to twin antivirus engines for blocking known malware, and machine learning capabilities to detect novel phishing threats.
To find out more about improving your defenses against malvertising, drive-by downloads, phishing, and other cyber threats, give the TitanHQ team a call. All TitanHQ solutions are also available on a free trial to allow you to put them to the test before making a purchase decision.