Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Hello again, FakeBat: popular loader returns after months-long hiatus

Nov. 11, 2024, 9:55 a.m.

Description

FakeBat, a loader previously known as Eugenloader and PaykLoader, has resurfaced after a three-month absence. The malware was distributed through a malicious Google ad impersonating the productivity application Notion. The attack chain involves a tracking template, cloaking domain, and a decoy site. FakeBat's payload is the LummaC2 stealer, which is injected into MSBuild.exe via process hollowing. The loader uses obfuscation techniques and the RastaMouse AMSI bypass script. This incident highlights the ongoing threat of malvertising and brand impersonation in Google ads, demonstrating how threat actors can quickly revert to proven methods of malware distribution.

Date

Published: Nov. 11, 2024, 9:50 a.m.

Created: Nov. 11, 2024, 9:50 a.m.

Modified: Nov. 11, 2024, 9:55 a.m.

Indicators

de64c6a881be736aeecbf665709baa89e92acf48c34f9071b8a29a5e53802019

6341d1b4858830ad691344a7b88316c49445754a98e7fd4a39a190c590e8a4db

34c46b358a139f1a472b0120a95b4f21d32be5c93bc2d1a5608efb557aa0b9de

2de8a18814cd66704edec08ae4b37e466c9986540da94cd61b2ca512d495b91a

http://furliumalerer.site/1.jar

notion.ramchhaya.com

tamedgeesy.sbs

thinkyyokej.sbs

solomonegbe.com

rottieud.sbs

slippyhost.cfd

repostebhu.sbs

relalingj.sbs

ghf-gopp1rip.com

furliumalerer.site

explainvees.sbs

ducksringjk.sbs

brownieyuz.sbs

utd-gochisu.com

Attack Patterns

FakeBat

LummaC2

FakeBat

T1218.005

T1055.012

T1573.001

T1204.001

T1059.001

T1071.001

T1036.005

T1027