Resurgence of Fakebat Malware Loader Detected in Ads
/ 3 min read
Quick take - On November 8, 2024, cybersecurity experts reported a resurgence of the malware loader Fakebat, identified through a malicious Google advertisement for the productivity application Notion, highlighting ongoing challenges in cybersecurity and the risks posed by brand impersonation in online advertising.
Fast Facts
- On November 8, 2024, cybersecurity experts detected a resurgence of the Fakebat malware loader, previously linked to malicious ads for applications like Notion and Calendly.
- The malicious ad for Notion appeared at the top of Google search results, using a cloaking domain and a tracking template to redirect users to a decoy site.
- Fakebat employs advanced techniques, including an AMSI bypass script and obfuscation via .NET Reactor, to evade detection and deliver the LummaC2 data stealer.
- Security researchers emphasize the importance of vigilance, as malicious advertisements continue to pose significant risks to user security and exploit trusted brands.
- Recommended security solutions, such as those from Malwarebytes, are crucial for mitigating risks and removing existing malware associated with such threats.
Resurgence of Fakebat Malware Loader Detected
On November 8, 2024, cybersecurity experts identified a resurgence of the malware loader known as Fakebat, also referred to as Eugenloader or PaykLoader. This resurgence was detected through a malicious Google advertisement for the productivity application Notion, marking a significant re-emergence of Fakebat, which had not been recorded since July 25, 2024. In the previous instance, Fakebat was linked to a malicious ad for Calendly.
Ongoing Cybersecurity Challenges
The recent discovery underscores ongoing challenges in cybersecurity, as web browsers and search engines continue to be common entry points for malware delivery. The malicious ad for Notion appeared at the top of Google search results, designed to look authentic with the official Notion logo and website. However, the ad employed a tracking template known as smart.link and used a cloaking domain, solomonegbe[.]com, to redirect users to a decoy site, notion[.]ramchhaya.com. This tactic allowed criminals to impersonate trusted brands and evade detection.
Analysis and Recommendations
The ad was displayed across various geographic locations, as noted in Google’s Ads Transparency Center. Security researchers, including RussianPanda and Sqiiblydoo, analyzed the Fakebat installer and identified an AMSI bypass script from April 2024 used by the threat actors. The loader is obfuscated using .NET Reactor and employs PowerShell scripts during its initial operations. After extracting the payload, Fakebat drops the LummaC2 stealer, which is designed to compromise user data.
Indicators of compromise associated with this threat include the malicious ads and the Fakebat command and control infrastructure. Specific malicious URLs related to the LummaC2 payload have been noted. Security solutions from companies like Malwarebytes are recommended to mitigate the risks posed by such threats and assist in removing existing malware. Despite a recent decrease in loaders distributed via malvertising, the incident with Fakebat exemplifies how malicious advertisements can resurface, posing significant risks to user security. Threat actors exploit brand impersonation through platforms like Google Ads, underscoring the ongoing need for vigilance in cybersecurity practices.
Original Source: Read the Full Article Here
