Hello again, FakeBat: popular loader returns after months-long hiatus
Nov. 11, 2024, 9:55 a.m.
Tags
External References
Description
FakeBat, a loader previously known as Eugenloader and PaykLoader, has resurfaced after a three-month absence. The malware was distributed through a malicious Google ad impersonating the productivity application Notion. The attack chain involves a tracking template, cloaking domain, and a decoy site. FakeBat's payload is the LummaC2 stealer, which is injected into MSBuild.exe via process hollowing. The loader uses obfuscation techniques and the RastaMouse AMSI bypass script. This incident highlights the ongoing threat of malvertising and brand impersonation in Google ads, demonstrating how threat actors can quickly revert to proven methods of malware distribution.
Date
Published: Nov. 11, 2024, 9:50 a.m.
Created: Nov. 11, 2024, 9:50 a.m.
Modified: Nov. 11, 2024, 9:55 a.m.
Indicators
de64c6a881be736aeecbf665709baa89e92acf48c34f9071b8a29a5e53802019
6341d1b4858830ad691344a7b88316c49445754a98e7fd4a39a190c590e8a4db
34c46b358a139f1a472b0120a95b4f21d32be5c93bc2d1a5608efb557aa0b9de
2de8a18814cd66704edec08ae4b37e466c9986540da94cd61b2ca512d495b91a
http://furliumalerer.site/1.jar
notion.ramchhaya.com
tamedgeesy.sbs
thinkyyokej.sbs
solomonegbe.com
rottieud.sbs
slippyhost.cfd
repostebhu.sbs
relalingj.sbs
ghf-gopp1rip.com
furliumalerer.site
explainvees.sbs
ducksringjk.sbs
brownieyuz.sbs
utd-gochisu.com
Attack Patterns
FakeBat
LummaC2
FakeBat
T1218.005
T1055.012
T1573.001
T1204.001
T1059.001
T1071.001
T1036.005
T1027