Fakebat

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
FakeBat is a notable malware variant that has been increasingly involved in malvertising campaigns since at least November 2022, as per an early 2023 Intel471 report. This malicious software exploits and damages computers or devices by infiltrating systems through suspicious downloads, emails, or websites. Unlike conventional malware strains, FakeBat utilizes MSIX installers bundled with heavily obfuscated PowerShell code, making it a unique threat. It is distributed via deceptive ads for popular software downloads, often disguised as legitimate Zoom download sites such as z00nn.one-platform-to-connect[.]group, info-zoomapp[.]com, and others. The malware is downloaded from URLs like youstorys[.]com/fonts/Zoom-x64.msix and windows-rars[.]shop/bootstrap/Zoom-x64.msix, among others. The FakeBat loader has been observed in various malvertising campaigns, often paired with the Atomic Stealer malware. It communicates with its command and control server (C2) at 2311foreign[.]xyz. In one campaign, the threat actor tracked victims using a newly identified panel, Hunting panel 1.40. An open directory on the same domain revealed the location of the Windows payload, which is an MSI installer (FakeBat), and the Mac payload (Atomic Stealer). Sophos linked FakeBat with infostealers like Redline, Ursniff, and Rhadamathys in a July 2023 report. In recent weeks, FakeBat malvertising campaigns have used two types of ad URLs and targeted many different brands. Its continued presence poses a significant threat to businesses. Malwarebytes has been tracking this malware family closely, documenting its activities in several blog posts. Despite ongoing efforts to mitigate its effects, FakeBat remains a potent adversary in the cybersecurity landscape due to its sophisticated tactics and heavy utilization of obfuscated code.
What's your take? (Question 1 of 4)
70ef5428-d167-4945-82b2-2fe41959ad9a Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Malvertising
Windows
Payload
Loader
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Fakebat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
Atomic Stealer rings in the new year with updated version | Malwarebytes
Malwarebytes
5 months ago
Malvertisers zoom in on cryptocurrencies and initial access | Malwarebytes
CERT-EU
2 months ago
The Surge of FakeBat Malware in Search-Based Malvertising Campaigns
CERT-EU
7 months ago
Fake KeePass site uses Google Ads and Punycode to push malware
CERT-EU
3 months ago
FakeBat delivered via several active malvertising campaigns | Malwarebytes
Malwarebytes
5 months ago
PikaBot distributed via malicious search ads | Malwarebytes
Malwarebytes
2 months ago
New Go loader pushes Rhadamanthys stealer | Malwarebytes
CERT-EU
7 months ago
New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers
CERT-EU
7 months ago
Google ads push malicious CPU-Z app from fake Windows news site
CERT-EU
5 months ago
Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
10 months ago
New Malvertising Campaign Distributing Trojanized IT Tools via Google and Bing Search Ads
CERT-EU
7 months ago
Malvertising attack uses Punycode character to spread malware through a fake "KeePass" website
Malwarebytes
5 months ago
New MetaStealer malvertising campaigns | Malwarebytes
CERT-EU
5 months ago
Cyber Security Week In Review: January 12, 2024
Malwarebytes
7 months ago
Clever malvertising attack uses Punycode to look like KeePass's official website
CERT-EU
3 months ago
One year later, Rhadamanthys is still dropped via malvertising | Malwarebytes
CERT-EU
5 months ago
Updated Atomic Stealer malware emerges
CERT-EU
7 months ago
Google ads push malicious CPU-Z app from fake Windows news site
CERT-EU
7 months ago
Google-Hosted Malvertising Leads To Fake Keepass Site That Looks Genuine - Slashdot