FakeBat delivered via several active malvertising campaigns

February was a particularly busy month for search-based malvertising with the number of incidents we documented almost doubling.
We saw similar payloads being dropped but also a few new ones that were particularly good at evading detection.
One malware family we have been tracking on this blog is FakeBat.
It is very unique in that the threat actor uses MSI installers packaged with heavily obfuscated PowerShell code.
For weeks, the malvertiser helping to distribute this malware was abusing the same URL shortener services which may have made the attack somewhat predictable.
We saw them experimenting with new redirectors and in particular leveraging legitimate websites to bypass security checks.
Another interesting aspect is the diversity of the latest campaigns.
For a while, we saw the same software brands being impersonated over and over again.
With this latest wave of FakeBat malvertising, we are seeing many different brands being targeted.
During the past several weeks, FakeBat malvertising campaigns used two kinds of ad URLs.
As observed in other malvertising campaigns, they were abusing URL/analytics shorteners which are ideal for cloaking.
That practice enables a threat actor to use a 'good' or 'bad' destination URL based on their own defined parameters.
In the most recent malvertising campaigns we see the threat actor abusing legitimate websites that appear to have been compromised.
There are currently several campaigns running including OneNote, Epic Games, Ginger and even the Braavos smart wallet application.
A number of those malicious domains can be found on Russian-based hoster DataLine.
FakeBat continues to be a threat to businesses via malicious ads for popular software downloads.
The malware distributors are able to bypass Google's security checks and redirect victims to deceiving websites.
It is as important to defend against the supporting infrastructure as the malware payloads.
That is not always easy since legitimate websites may be used to defeat domain blocklists.
As always, blocking ads at the source via system policies such as ThreatDown DNS Filter, remains one the most effective ways to stop malvertising attacks in their tracks.


This Cyber News was published on www.malwarebytes.com. Publication date: Tue, 12 Mar 2024 23:44:28 +0000


Cyber News related to FakeBat delivered via several active malvertising campaigns

The Surge of FakeBat Malware in Search-Based Malvertising Campaigns - In recent months, cybersecurity researchers have observed a concerning surge in search-based malvertising campaigns, with documented incidents nearly doubling compared to previous periods. Amidst this uptick in online threats, one particular malware ...
7 months ago Cysecurity.news
FakeBat delivered via several active malvertising campaigns - February was a particularly busy month for search-based malvertising with the number of incidents we documented almost doubling. We saw similar payloads being dropped but also a few new ones that were particularly good at evading detection. One ...
7 months ago Malwarebytes.com
Cybersecurity Awareness Campaigns in Education - Cybersecurity awareness campaigns in education are essential to protect digital systems and information. The target audience for cybersecurity awareness campaigns in education includes students, teachers, administrators, and other staff members. ...
10 months ago Securityzap.com
Fake KeePass site uses Google Ads and Punycode to push malware - A Google Ads campaign was found pushing a fake KeePass download site that used Punycode to appear as the official domain of the KeePass password manager to distribute malware. Google has been battling with ongoing malvertising campaigns that allow ...
11 months ago Bleepingcomputer.com
Malvertisers zoom in on cryptocurrencies and initial access - While Zoom is used by millions of people around the world, these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users, in order to gain access to company networks. The threat actors are using a number of ...
10 months ago Malwarebytes.com
New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers - A new malvertising campaign has been found to employ fake sites that masquerade as legitimate Windows news portal to propagate a malicious installer for a popular system profiling tool called CPU-Z. "This incident is a part of a larger malvertising ...
11 months ago Thehackernews.com
Avoid high cyber insurance costs by improving Active Directory security - Insurance broker and risk advisor Marsh revealed that US cyber insurance premiums rose by an average of 11% in the first quarter of 2023, and Delinea reported that 67% of survey respondents said their cyber insurance costs increased between 50% and ...
7 months ago Bleepingcomputer.com
FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection - An ongoing malvertising campaign is being used to distribute virtualized. NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion ...
1 year ago Thehackernews.com
Fighting Ursa Aka APT28: Illuminating a Covert Campaign - Early this year, Ukrainian cybersecurity researchers found Fighting Ursa leveraging a zero-day exploit in Microsoft Outlook. During this time, Fighting Ursa conducted at least two campaigns with this vulnerability that have been made public. Unit 42 ...
11 months ago Unit42.paloaltonetworks.com
Hundreds of Thousands of Dollars Worth of Solana Cryptocurrency Assets Stolen in Recent CLINKSINK Drainer Campaigns - On January 3, 2024, Mandiant's X social media account was taken over and subsequently used to distribute links to a cryptocurrency drainer phishing page. The following blog post provides additional insight into the drainer leveraged in this campaign, ...
9 months ago Mandiant.com
CVE-2009-3874 - Integer overflow in the JPEGImageReader implementation in the ImageI/O component in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to execute arbitrary ...
6 years ago
Five Eyes Agencies Put Focus on Active Directory Threats - Security Boulevard - Cybersecurity agencies in the United States and other countries are urging organizations to harden the security around Microsoft’s Active Director (AD) solution, which has become a prime target of hackers looking to compromise enterprise networks. ...
1 month ago Securityboulevard.com
How to manage a migration to Microsoft Entra ID - Microsoft Entra ID, formerly Azure Active Directory, is not a direct replacement for on-premises Active Directory due to feature gaps and alternative ways to perform similar identity and access management tasks. For some organizations, a move to ...
10 months ago Techtarget.com
Pikabot Malware Surfaces As Qakbot Replacement for Black Basta Attacks - A threat actor associated with Black Basta ransomware attacks has been wielding a new loader similar to the notoriously hard-to-kill Qakbot, in a widespread phishing campaign aimed at gaining entry to organization networks for further malicious ...
9 months ago Darkreading.com
Why the Keitaro TDS keeps causing security headaches - A software company named Keitaro has long been labeled by cybersecurity vendors as a legitimate traffic distribution system vendor, yet the company's product is repeatedly used for malicious activity by cybercriminals. Despite being described as a ...
6 months ago Techtarget.com
DarkGate Malware Campaigns Linked to Vietnam-Based Cybercriminals - Vietnam-based cybercriminals are believed to be behind to attacks using DarkGate malware, which have targeted organizations in the UK, US and India since 2018. WithSecure researchers have tracked these attacks to an active cluster of cybercriminals ...
11 months ago Infosecurity-magazine.com
Active Directory Infiltration Methods Employed by Cybercriminals - Active Directory infiltration methods exploit vulnerabilities or weaknesses in Microsoft's Active Directory to gain unauthorized access. Active Directory is a central component in many organizations, making it a valuable target for attackers seeking ...
10 months ago Gbhackers.com
See How Our Cloud-Delivered Security Services Provide 357% ROI - Investing in Palo Alto Networks Cloud-Delivered Security Services provided a 357% return on investment and net present value of $10.04 million over 3 years, along with a 6-month payback period, according to a recently released Forrester Consulting ...
7 months ago Paloaltonetworks.com
macOS Malware Mix & Match: North Korean APTs Stir Up Fresh Attacks - North Korean advanced persistent threat groups are mixing and matching components of two recently unleashed types of Mac-targeted malware to evade detection and fly under the radar as they continue their efforts to conduct operations at the behest of ...
11 months ago Darkreading.com
China-Sponsored Attackers Target 40K Corporate Users in 90 Days - Three novel credential-phishing campaigns have emerged from state-sponsored actors that have compromised at least 40,000 corporate users - including top-level executives - in just three months' time, researchers have found. The attacks target a range ...
4 months ago Darkreading.com
BattleRoyal Cluster Signals DarkGate Surge - Security researchers have warned against the DarkGate threat actor, who has recently gained notoriety in the realm of remote access Trojans and loaders. Earlier today, Proofpoint confirmed it has been tracking a distinct operator of the DarkGate ...
10 months ago Infosecurity-magazine.com
Unit 42 Collaborative Research With Ukraine's Cyber Agency To Uncover the Smoke Loader Backdoor - This collaborative research focuses on recent Smoke Loader malware activity observed throughout Ukraine from May to November 2023 from a group the CERT-UA designates as UAC-0006. The SCPC SSSCIP has identified Smoke Loader as a prominent type of ...
7 months ago Unit42.paloaltonetworks.com
Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors - Earlier this year, Mandiant's Managed Defense threat hunting team identified an UNC2975 malicious advertising campaign promoting malicious websites themed around unclaimed funds. In each investigation under this campaign, Mandiant identified browser ...
10 months ago Mandiant.com
Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks - Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet, that uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for ...
5 months ago Microsoft.com
Hackers Stolen Over $58 Million Crypto Via Malicious Google Ads - Threat actors targeting crypto wallets for illicit transactions have been in practice for quite some time. Threat actors have been using Wallet Drainers for such cybercrime activities, which have seen great success in recent years. Several techniques ...
10 months ago Gbhackers.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)