Hackers have recently exploited Google search ads to spread malware via MSI (Microsoft Installer) packages, using the FakeBat malware loader. The attack begins with a seemingly legitimate Google search ad, which uses real website addresses of popular software like Notion to lure users. When users click on the ad, they are redirected to a lookalike site hosted at a deceptive URL resembling the genuine site, prompting them to download what appears to be a standard software installer in MSIX format, signed under the name “Forth View Designs Ltd.” Upon executing the installer, a hidden malicious PowerShell script is activated, which connects to the FakeBat command and control server to download a secondary payload known as zgRAT.
This sophisticated campaign utilizes a click tracker service to manage the ad’s effectiveness and filter out unwanted traffic, enhancing the stealth of the attack. Once the malware is installed, the PowerShell script reaches out to the FakeBat C2 server, dictating subsequent actions, including the deployment of the zgRAT payload. This process involves bypassing local security measures and injecting zgRAT directly into system processes, thereby taking control of the infected machine. Cybersecurity firm ThreatDown has blocked the C2 server used in this campaign and documented the attack’s progression from the initial MSIX execution to the final payload deployment.
Organizations are advised to use Endpoint Detection and Response (EDR) systems to monitor and block such malicious activities. They should also restrict or control the use of MSIX files through group policies and distribute software installers via an internal company repository to mitigate the risks associated with malicious ads. This incident underscores the ongoing threats posed by malvertising and the increasing sophistication of cyber threats. Vigilance and advanced security measures are crucial to protect against these deceptive and damaging attacks.
Indicators of compromise include the fake Notion website (notilion[.]co), the FakeBat installer (hxxps[://]sivaspastane[.]com/Notion-x86[.]msix), and several C2 domains and hosts associated with zgRAT. Users and organizations must remain alert to these threats, employing robust security protocols to safeguard their networks.
