Fakebat

Malware updated 4 months ago (2024-05-04T19:46:16.337Z)

Download STIX

Preview STIX

FakeBat is a notable malware variant that has been increasingly involved in malvertising campaigns since at least November 2022, as per an early 2023 Intel471 report. This malicious software exploits and damages computers or devices by infiltrating systems through suspicious downloads, emails, or websites. Unlike conventional malware strains, FakeBat utilizes MSIX installers bundled with heavily obfuscated PowerShell code, making it a unique threat. It is distributed via deceptive ads for popular software downloads, often disguised as legitimate Zoom download sites such as z00nn.one-platform-to-connect[.]group, info-zoomapp[.]com, and others. The malware is downloaded from URLs like youstorys[.]com/fonts/Zoom-x64.msix and windows-rars[.]shop/bootstrap/Zoom-x64.msix, among others. The FakeBat loader has been observed in various malvertising campaigns, often paired with the Atomic Stealer malware. It communicates with its command and control server (C2) at 2311foreign[.]xyz. In one campaign, the threat actor tracked victims using a newly identified panel, Hunting panel 1.40. An open directory on the same domain revealed the location of the Windows payload, which is an MSI installer (FakeBat), and the Mac payload (Atomic Stealer). Sophos linked FakeBat with infostealers like Redline, Ursniff, and Rhadamathys in a July 2023 report. In recent weeks, FakeBat malvertising campaigns have used two types of ad URLs and targeted many different brands. Its continued presence poses a significant threat to businesses. Malwarebytes has been tracking this malware family closely, documenting its activities in several blog posts. Despite ongoing efforts to mitigate its effects, FakeBat remains a potent adversary in the cybersecurity landscape due to its sophisticated tactics and heavy utilization of obfuscated code.

Description last updated: 2024-03-22T22:15:28.432Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Atomic Stealer Amos	2	Atomic Stealer (AMOS) is a software vulnerability specifically designed to target macOS devices. Discovered by Malwarebytes in September 2023, this flaw was propagated through a cybercriminal campaign that exploited malicious ads to spread the malware to Mac users. The malware was also distributed v
Atomic Stealer	2	Atomic Stealer is a type of malware designed to exploit and damage computer systems, particularly those operating on macOS. It infects systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Malvertising

Windows

Payload

Loader

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Fakebat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Malwarebytes	8 months ago	Atomic Stealer rings in the new year with updated version
Malwarebytes	6 months ago	New Go loader pushes Rhadamanthys stealer \| Malwarebytes
CERT-EU	6 months ago	The Surge of FakeBat Malware in Search-Based Malvertising Campaigns
CERT-EU	6 months ago	FakeBat delivered via several active malvertising campaigns \| Malwarebytes
CERT-EU	a year ago	Fake KeePass site uses Google Ads and Punycode to push malware
CERT-EU	a year ago	Malvertising attack uses Punycode character to spread malware through a fake "KeePass" website
CERT-EU	10 months ago	Google ads push malicious CPU-Z app from fake Windows news site
CERT-EU	10 months ago	Google ads push malicious CPU-Z app from fake Windows news site
CERT-EU	a year ago	New Malvertising Campaign Distributing Trojanized IT Tools via Google and Bing Search Ads
CERT-EU	a year ago	Google-Hosted Malvertising Leads To Fake Keepass Site That Looks Genuine - Slashdot
CERT-EU	8 months ago	Microsoft Disables MSIX App Installer Protocol Widely Used in Malware Attacks \| #ransomware \| #cybercrime \| National Cyber Security Consulting
Malwarebytes	9 months ago	New MetaStealer malvertising campaigns \| Malwarebytes
Malwarebytes	9 months ago	PikaBot distributed via malicious search ads \| Malwarebytes
Malwarebytes	9 months ago	Malvertisers zoom in on cryptocurrencies and initial access \| Malwarebytes
Malwarebytes	a year ago	Clever malvertising attack uses Punycode to look like KeePass's official website
CERT-EU	10 months ago	New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers
CERT-EU	6 months ago	One year later, Rhadamanthys is still dropped via malvertising \| Malwarebytes
CERT-EU	8 months ago	Cyber Security Week In Review: January 12, 2024
CERT-EU	8 months ago	Atomic Stealer rings in the new year with updated version \| Malwarebytes
CERT-EU	8 months ago	Updated Atomic Stealer malware emerges