CTI Roundup: FakeBat Loader-as-a-Service, ESET H1 2024 Threat Report

This week, CTI provides an update on FakeBat loader, including its top distribution methods and adversary infrastructure. CTI also breaks down the key findings from ESET’s recent threat report from the first half of 2024.

1. FakeBat Loader-as-a-Service malware spreads via multiple chains

Sekoia has observed several different FakeBat campaigns so far in 2024. Its latest report dives into the different distribution methods and infrastructure components they have discovered.

According to Sekoia, FakeBat loader was one of the most far-reaching loaders in the first quarter of 2024 to leverage drive-by downloading. The loader was typically used to launch a next-stage payload like Lumma, RedLine, and others.

FakeBat on cybercriminal forums

FakeBat was first observed on an underground forum in December 2022 when it was advertised and sold as a loader-as-a-service in the Exploit forum. It advertised as a loader malware in MSI format with various anti-detection capabilities. The loader also gives its users an admin panel to generate and manage their campaigns.

Actors distributing FakeBat

Sekoia has identified multiple FakeBat infection chains that they believe correspond to several different customers of the MaaS.

They also identified several campaigns that pose as popular software including 1Password, Chrome, Microsoft Teams, Zoom, VMware, and many others. The actors behind these campaigns are using Google Ads to make these malicious websites appear at the top of the page. When a victim clicks on one of these malicious sites, they are led to a page that closely resembles the legitimate website. A button on the page will redirect the user and result in the download of a signed MSIX file, aka FakeBat.

Threat actors are also compromising WordPress sites to trick users into believing their Chrome browser needs an update. As of June 2024, Sekoia identified more than 250 compromised websites that result in the download of FakeBat.

A third means of distribution was observed in May 2024 which targeted the web3 community. In this cluster of activity, the malware was distributed as a fake web3 chat application. The threat actor used websites, verified social media accounts, and promotional videos to increase the sense of legitimacy of their application. This activity was a little different than others because it required an invitation code to be downloaded.

Adversary infrastructure

Sekoia was able to uncover a decent amount of adversary infrastructure associated with FakeBat campaigns. They believe that the recent FakeBat C2 servers are likely to “filter traffic based on characteristics such as the user-agent value, the IP address, and the location” which allows the operator to have very strategic and tailored targeting. Researchers have also compiled a list of FakeBat C2 servers and hosting domains that are believed to be owned by FakeBat operators.

Analyst comments from Tanium’s Cyber Threat Intelligence team

There are so many MaaS offerings out there that it can be hard to keep track of which ones pose the biggest threat. As one of the most widespread loaders to use the drive by technique in 2024, FakeBat is certainly worth paying attention to.

The fact that this malware is also only being sold to a limited number of users makes it even more impressive, given that it has had far reaching consequences. FakeBat seems to be distributed in a multitude of ways which is likely the result of different actors using the malware. That said, it’s likely that its distribution methods will continue to evolve as threat actors continually seek out new techniques.

2. Key findings from ESET’s threat report

ESET has released its threat report for the first half of 2024. The report covers threat trends from December 2023 to May 2024 based on ESET’s telemetry.

Some of the observed trends include an increase in infostealing malware impersonating generative AI tools and a decrease in Android threats.

Android threats are declining

ESET saw a decrease in Android threat detections during the first half of the year. This decrease comes as a slight surprise as Android threats often increase around seasonal events.

Even with this decrease, Android malware is continuing to evolve. An example of this is seen with the GoldPickaxe malware that targets both Android and iOS. The Android version is distributed on websites that pretend to be the Google Play store. The actor behind this malware is believed to be an organized Chinese-speaking group referred to as GoldFactory.

ESET has also observed an evolution in Android financial threats. Some of the tactics in recent Android malware attacks include misusing Android accessibility services, leveraging automated systems to transfer funds without authorization, and bypassing 2FA.

Linux threats

In its report, ESET analyzed at a specific Linux threat referred to as Operation Windigo. This operation leverages the Ebury malware family which has been around for roughly 10 years and continues to remain a threat.

Ebury is an OpenSSH backdoor and credential stealer and serves as the core of a cluster of server-side threats. The malware often goes after crypto wallets, leveraging its existence in data centers across the world to conduct adversary-in-the-middle attacks.

AI threats

It’s no surprise that there were several recorded attacks that involved AI in some way during the first half of the year. ESET observed several instances in which the names of AI models were used as lures to deliver malware. An example of this was seen when they observed a malicious installer browser extension that claimed to be a desktop app for AI, but instead downloaded malware.

Web threats

The exploitation of WordPress plugin vulnerabilities continued to be a threat over the last six months. Most notably, threat actors are leveraging the Balada Injector and JS/Agent family.

Infostealers and downloaders

Infostealers also continue to be a top concern, with threat actors increasingly using them to target gaming companies and gamers. Popular infostealers for the past few months include RedLine and Lumma among others.

Downloaders have started to switch up their methods of delivery, seeing a 10% increase in downloader numbers over the past few months. Threats relying on macros also increased during this time, even though macros are blocked by default by Microsoft.

Analyst comments from Tanium’s Cyber Threat Intelligence team

It’s important to keep in mind that these trends are based on a particular entity’s telemetry and are not indicative of the entire landscape. However, many of ESET’s trends align with other industry studies and their report is an interesting read.

What’s also interesting is the breakdown of the different ways downloaders are being delivered, as actors start to find new avenues to evade detection. For example, we are starting to see a decline in the use of HTML. Some of the ones we see commonly reported, link LNK and VBS, did not account for as large of a percentage as we assumed.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.